Acasă Explorează Ajutor
Autentificare
RISCI_ATOM
/
nextcloud-server
oglindă de https://github.com/nextcloud/server.git
1
0
Bifurcare 0
Fisiere Probleme 23 Wiki
Arbore: da34d4c1ff
Ramuri Etichete
nextcloud-serve...
/
lib
/
private
/
Security
/
TrustedDomainHelper.php

TrustedDomainHelper.php 2.2 KB
Istoric Crud

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. /**
    5. 

  5.  * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
    6. 

  6.  * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
    7. 

  7.  * SPDX-License-Identifier: AGPL-3.0-only
    8. 

  8.  */
    9. 

  9. namespace OC\Security;
    10. 

  10. 

  11. use OC\AppFramework\Http\Request;
    12. 

  12. use OCP\IConfig;
    13. 

  13. use OCP\Security\ITrustedDomainHelper;
    14. 

  14. 

  15. class TrustedDomainHelper implements ITrustedDomainHelper {
    16. 

  16. 	public function __construct(
    17. 

  17. 		private IConfig $config,
    18. 

  18. 	) {
    19. 

  19. 	}
    20. 

  20. 

  21. 	/**
    22. 

  22. 	 * Strips a potential port from a domain (in format domain:port)
    23. 

  23. 	 * @return string $host without appended port
    24. 

  24. 	 */
    25. 

  25. 	private function getDomainWithoutPort(string $host): string {
    26. 

  26. 		$pos = strrpos($host, ':');
    27. 

  27. 		if ($pos !== false) {
    28. 

  28. 			$port = substr($host, $pos + 1);
    29. 

  29. 			if (is_numeric($port)) {
    30. 

  30. 				$host = substr($host, 0, $pos);
    31. 

  31. 			}
    32. 

  32. 		}
    33. 

  33. 		return $host;
    34. 

  34. 	}
    35. 

  35. 

  36. 	/**
    37. 

  37. 	 * {@inheritDoc}
    38. 

  38. 	 */
    39. 

  39. 	public function isTrustedUrl(string $url): bool {
    40. 

  40. 		$parsedUrl = parse_url($url);
    41. 

  41. 		if (empty($parsedUrl['host'])) {
    42. 

  42. 			return false;
    43. 

  43. 		}
    44. 

  44. 

  45. 		if (isset($parsedUrl['port']) && $parsedUrl['port']) {
    46. 

  46. 			return $this->isTrustedDomain($parsedUrl['host'] . ':' . $parsedUrl['port']);
    47. 

  47. 		}
    48. 

  48. 

  49. 		return $this->isTrustedDomain($parsedUrl['host']);
    50. 

  50. 	}
    51. 

  51. 

  52. 	/**
    53. 

  53. 	 * {@inheritDoc}
    54. 

  54. 	 */
    55. 

  55. 	public function isTrustedDomain(string $domainWithPort): bool {
    56. 

  56. 		// overwritehost is always trusted
    57. 

  57. 		if ($this->config->getSystemValue('overwritehost') !== '') {
    58. 

  58. 			return true;
    59. 

  59. 		}
    60. 

  60. 

  61. 		$domain = $this->getDomainWithoutPort($domainWithPort);
    62. 

  62. 

  63. 		// Read trusted domains from config
    64. 

  64. 		$trustedList = $this->config->getSystemValue('trusted_domains', []);
    65. 

  65. 		if (!is_array($trustedList)) {
    66. 

  66. 			return false;
    67. 

  67. 		}
    68. 

  68. 

  69. 		// Always allow access from localhost
    70. 

  70. 		if (preg_match(Request::REGEX_LOCALHOST, $domain) === 1) {
    71. 

  71. 			return true;
    72. 

  72. 		}
    73. 

  73. 		// Reject malformed domains in any case
    74. 

  74. 		if (str_starts_with($domain, '-') || str_contains($domain, '..')) {
    75. 

  75. 			return false;
    76. 

  76. 		}
    77. 

  77. 		// Match, allowing for * wildcards
    78. 

  78. 		foreach ($trustedList as $trusted) {
    79. 

  79. 			if (gettype($trusted) !== 'string') {
    80. 

  80. 				break;
    81. 

  81. 			}
    82. 

  82. 			$regex = '/^' . implode('[-\.a-zA-Z0-9]*', array_map(function ($v) {
    83. 

  83. 				return preg_quote($v, '/');
    84. 

  84. 			}, explode('*', $trusted))) . '$/i';
    85. 

  85. 			if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) {
    86. 

  86. 				return true;
    87. 

  87. 			}
    88. 

  88. 		}
    89. 

  89. 		return false;
    90. 

  90. 	}
    91. 

  91. }
    92.