Merge pull request #42005 from nextcloud/backport/41999/stable28

[stable28] fix(security): Handle idn_to_utf8 returning false

Author: nickvergessen

lib/private/Security/RemoteHostValidator.php

@@ -52,6 +52,10 @@ public function isValid(string $host): bool {
 		}
 
 		$host = idn_to_utf8(strtolower(urldecode($host)));
+		if ($host === false) {
+			return false;
+		}
+
 		// Remove brackets from IPv6 addresses
 		if (str_starts_with($host, '[') && str_ends_with($host, ']')) {
 			$host = substr($host, 1, -1);

tests/lib/Http/Client/ClientTest.php

@@ -149,6 +149,7 @@ public function dataPreventLocalAddress():array {
 			['https://service.localhost'],
 			['!@#$', true], // test invalid url
 			['https://normal.host.com'],
+			['https://com.one-.nextcloud-one.com'],
 		];
 	}
 

tests/lib/Security/RemoteHostValidatorTest.php

@@ -60,8 +60,17 @@ protected function setUp(): void {
 		);
 	}
 
-	public function testValid(): void {
-		$host = 'nextcloud.com';
+	public function dataValid(): array {
+		return [
+			['nextcloud.com', true],
+			['com.one-.nextcloud-one.com', false],
+		];
+	}
+
+	/**
+	 * @dataProvider dataValid
+	 */
+	public function testValid(string $host, bool $expected): void {
 		$this->hostnameClassifier
 			->method('isLocalHostname')
 			->with($host)
@@ -73,7 +82,7 @@ public function testValid(): void {
 
 		$valid = $this->validator->isValid($host);
 
-		self::assertTrue($valid);
+		self::assertSame($expected, $valid);
 	}
 
 	public function testLocalHostname(): void {