Merge pull request #314 from jernst/master
Allow wildcard * to be used in trusted domains
This commit is contained in:
commit
c8ba8f637e
|
@ -58,6 +58,12 @@ $CONFIG = array(
|
|||
* Your list of trusted domains that users can log into. Specifying trusted
|
||||
* domains prevents host header poisoning. Do not remove this, as it performs
|
||||
* necessary security checks.
|
||||
* You can specify:
|
||||
* - the exact hostname of your host or virtual host, e.g. demo.example.org.
|
||||
* - the exact hostname with permitted port, e.g. demo.example.org:443.
|
||||
* This disallows all other ports on this host
|
||||
* - use * as a wildcard, e.g. ubos-raspberry-pi*.local will allow
|
||||
* ubos-raspberry-pi.local and ubos-raspberry-pi-2.local
|
||||
*/
|
||||
'trusted_domains' =>
|
||||
array (
|
||||
|
|
|
@ -70,7 +70,7 @@ class TrustedDomainHelper {
|
|||
|
||||
// Read trusted domains from config
|
||||
$trustedList = $this->config->getSystemValue('trusted_domains', []);
|
||||
if(!is_array($trustedList)) {
|
||||
if (!is_array($trustedList)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -78,13 +78,20 @@ class TrustedDomainHelper {
|
|||
if (preg_match(Request::REGEX_LOCALHOST, $domain) === 1) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Compare with port appended
|
||||
if(in_array($domainWithPort, $trustedList, true)) {
|
||||
return true;
|
||||
// Reject misformed domains in any case
|
||||
if (strpos($domain,'-') === 0 || strpos($domain,'..') !== false) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return in_array($domain, $trustedList, true);
|
||||
// Match, allowing for * wildcards
|
||||
foreach ($trustedList as $trusted) {
|
||||
if (gettype($trusted) !== 'string') {
|
||||
break;
|
||||
}
|
||||
$regex = '/^' . join('[-\.a-zA-Z0-9]*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/';
|
||||
if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -49,6 +49,11 @@ class TrustedDomainHelperTest extends \Test\TestCase {
|
|||
'host.two.test',
|
||||
'[1fff:0:a88:85a3::ac1f]',
|
||||
'host.three.test:443',
|
||||
'*.leading.host',
|
||||
'trailing.host*',
|
||||
'cen*ter',
|
||||
'*.leadingwith.port:123',
|
||||
'trailingwith.port*:456',
|
||||
];
|
||||
return [
|
||||
// empty defaults to false with 8.1
|
||||
|
@ -76,7 +81,31 @@ class TrustedDomainHelperTest extends \Test\TestCase {
|
|||
[$trustedHostTestList, 'localhost: evil.host', false],
|
||||
// do not trust casting
|
||||
[[1], '1', false],
|
||||
// leading *
|
||||
[$trustedHostTestList, 'abc.leading.host', true],
|
||||
[$trustedHostTestList, 'abc.def.leading.host', true],
|
||||
[$trustedHostTestList, 'abc.def.leading.host.another', false],
|
||||
[$trustedHostTestList, 'abc.def.leading.host:123', true],
|
||||
[$trustedHostTestList, 'leading.host', false],
|
||||
// trailing *
|
||||
[$trustedHostTestList, 'trailing.host', true],
|
||||
[$trustedHostTestList, 'trailing.host.abc', true],
|
||||
[$trustedHostTestList, 'trailing.host.abc.def', true],
|
||||
[$trustedHostTestList, 'trailing.host.abc:123', true],
|
||||
[$trustedHostTestList, 'another.trailing.host', false],
|
||||
// center *
|
||||
[$trustedHostTestList, 'center', true],
|
||||
[$trustedHostTestList, 'cenxxxter', true],
|
||||
[$trustedHostTestList, 'cen.x.y.ter', true],
|
||||
// with port
|
||||
[$trustedHostTestList, 'abc.leadingwith.port:123', true],
|
||||
[$trustedHostTestList, 'abc.leadingwith.port:1234', false],
|
||||
[$trustedHostTestList, 'trailingwith.port.abc:456', true],
|
||||
[$trustedHostTestList, 'trailingwith.port.abc:123', false],
|
||||
// bad hostname
|
||||
[$trustedHostTestList, '-bad', false],
|
||||
[$trustedHostTestList, '-bad.leading.host', false],
|
||||
[$trustedHostTestList, 'bad..der.leading.host', false],
|
||||
];
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue