mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add \OCP\IRequest::getHttpProtocol 

Only allow valid HTTP protocols.

Ref https://github.com/owncloud/core/pull/19537#discussion_r41252333 + https://github.com/owncloud/security-tracker/issues/119
This commit is contained in:
Lukas Reschke 2015-10-06 14:18:46 +02:00
parent 4b31b349b8
commit 80a232da6a
3 changed files with 80 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
lib/private/appframework/http/request.php
View File

@ -552,6 +552,27 @@ class Request implements \ArrayAccess, \Countable, IRequest {
return 'http'; return 'http';
} }
/**
* Returns the used HTTP protocol.
*
* @return string HTTP protocol. HTTP/2, HTTP/1.1 or HTTP/1.0.
*/
public function getHttpProtocol() {
$claimedProtocol = strtoupper($this->server['SERVER_PROTOCOL']);
$validProtocols = [
'HTTP/1.0',
'HTTP/1.1',
'HTTP/2',
];
if(in_array($claimedProtocol, $validProtocols, true)) {
return $claimedProtocol;
}
return 'HTTP/1.1';
}
/** /**
* Returns the request uri, even if the website uses one or more * Returns the request uri, even if the website uses one or more
* reverse proxies * reverse proxies

8
lib/public/irequest.php
View File

@ -167,6 +167,14 @@ interface IRequest {
*/ */
public function getServerProtocol(); public function getServerProtocol();
/**
* Returns the used HTTP protocol.
*
* @return string HTTP protocol. HTTP/2, HTTP/1.1 or HTTP/1.0.
* @since 8.2.0
*/
public function getHttpProtocol();
/** /**
* Returns the request uri, even if the website uses one or more * Returns the request uri, even if the website uses one or more
* reverse proxies * reverse proxies

51
tests/lib/appframework/http/RequestTest.php
View File

@ -497,6 +497,57 @@ class RequestTest extends \Test\TestCase {
$this->assertSame('192.168.0.233', $request->getRemoteAddress()); $this->assertSame('192.168.0.233', $request->getRemoteAddress());
} }
/**
* @return array
*/
public function httpProtocolProvider() {
return [
// Valid HTTP 1.0
['HTTP/1.0', 'HTTP/1.0'],
['http/1.0', 'HTTP/1.0'],
['HTTp/1.0', 'HTTP/1.0'],
// Valid HTTP 1.1
['HTTP/1.1', 'HTTP/1.1'],
['http/1.1', 'HTTP/1.1'],
['HTTp/1.1', 'HTTP/1.1'],
// Valid HTTP 2.0
['HTTP/2', 'HTTP/2'],
['http/2', 'HTTP/2'],
['HTTp/2', 'HTTP/2'],
// Invalid
['HTTp/394', 'HTTP/1.1'],
['InvalidProvider/1.1', 'HTTP/1.1'],
[null, 'HTTP/1.1'],
['', 'HTTP/1.1'],
];
}
/**
* @dataProvider httpProtocolProvider
*
* @param mixed $input
* @param string $expected
*/
public function testGetHttpProtocol($input, $expected) {
$request = new Request(
[
'server' => [
'SERVER_PROTOCOL' => $input,
],
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
$this->assertSame($expected, $request->getHttpProtocol());
}
public function testGetServerProtocolWithOverride() { public function testGetServerProtocolWithOverride() {
$this->config $this->config
->expects($this->at(0)) ->expects($this->at(0))