@@ -225,14 +225,25 @@ private function queryWebcalFeed(array $subscription, array &$mutations) {
225225 }
226226
227227 if ($ allowLocalAccess'yes ' ) {
228- $ hostparse_url ($ urlPHP_URL_HOST );
228+ $ hoststrtolower ( parse_url ($ urlPHP_URL_HOST ) );
229229 // remove brackets from IPv6 addresses
230230 if (strpos ($ host'[ ' ) === 0 && substr ($ host1 ) === '] ' ) {
231231 $ hostsubstr ($ host1 , -1 );
232232 }
233233
234- if ($ host'localhost ' || substr ($ host6 ) === '.local ' || substr ($ host10 ) === '.localhost ' ||
235- preg_match ('/(^127\.)|(^192\.168\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^::1$)|(^[fF][cCdD])/ ' , $ host
234+ // Disallow localhost and local network
235+ if ($ host'localhost ' || substr ($ host6 ) === '.local ' || substr ($ host10 ) === '.localhost ' ) {
236+ $ this logger ->warning ("Subscription $ subscriptionId was not refreshed because it violates local access rules " );
237+ return null ;
238+ }
239+
240+ // Disallow hostname only
241+ if (substr_count ($ host'. ' ) === 0 ) {
242+ $ this logger ->warning ("Subscription $ subscriptionId was not refreshed because it violates local access rules " );
243+ return null ;
244+ }
245+
246+ if ((bool )filter_var ($ hostFILTER_VALIDATE_IP ) && !filter_var ($ hostFILTER_VALIDATE_IP , FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE )) {
236247 $ this logger ->warning ("Subscription $ subscriptionId was not refreshed because it violates local access rules " );
237248 return null ;
238249 }
0 commit comments