Skip to content

Allow wildcard * to be used in trusted domains #314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
LukasReschke merged 5 commits into from
Jul 7, 2016
Merged

Allow wildcard * to be used in trusted domains #314

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5fb797a
Allow wildcard * to be used in trusted domains, to support setups whe…
jernst Jul 5, 2016
c549b27
Duh, no 'next' in PHP.
jernst Jul 6, 2016
20ebc2a
Trusted domain wildcard checking made shorter, supporting multiple *
jernst Jul 6, 2016
d6e5c4c
Disallow certain malformed domain names even if they match the truste…
jernst Jul 6, 2016
2b96e90
Extended documentation on trusted_domains to cover ports and wildcards.
jernst Jul 7, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Trusted domain wildcard checking made shorter, supporting multiple * 
Added test cases
  • Loading branch information
@jernst
jernst committed Jul 6, 2016
commit 20ebc2a284d3862bce4021914f7e171e530cf857
40 changes: 8 additions & 32 deletions lib/private/Security/TrustedDomainHelper.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ public function isTrustedDomain($domainWithPort) {

// Read trusted domains from config
$trustedList = $this->config->getSystemValue('trusted_domains', []);
if(!is_array($trustedList)) {
if (!is_array($trustedList)) {
return false;
}

Expand All @@ -79,39 +79,15 @@ public function isTrustedDomain($domainWithPort) {
return true;
}

// Compare with port appended
if(in_array($domainWithPort, $trustedList, true)) {
return true;
}

if(in_array($domain, $trustedList, true)) {
return true;
}

// If a value contains a *, apply glob-style matching. Any second * is ignored.
foreach ($trustedList as $trusted) {
if($trusted === '*') {
// match, allowing for * wildcards
foreach ($trustedList as $trusted) {
if (gettype($trusted) !== 'string') {
break;
}
$regex = '/^' . join('.*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/';
if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) {
return true;
}
$star = strpos($trusted, '*');
if($star === false) {
break;
}
if($star === 0) {
if(strrpos($domain, substr($trusted, 1)) !== false) {
return true;
}
} elseif($star === strlen($trusted)-1) {
if(strpos($domain, substr($trusted, 0, strlen($trusted)-1 )) !== false) {
return true;
}
} else {
if(strpos($domain, substr($trusted, 0, $star)) !== false
&& strrpos($domain, substr($trusted, $star+1 ), -strlen($trusted-$star-1)) !== false )
{
return true;
}
}
}
return false;
}
Expand Down
27 changes: 26 additions & 1 deletion tests/lib/Security/TrustedDomainHelperTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,11 @@ public function trustedDomainDataProvider() {
'host.two.test',
'[1fff:0:a88:85a3::ac1f]',
'host.three.test:443',
'*.leading.host',
'trailing.host*',
'cen*ter',
'*.leadingwith.port:123',
'trailingwith.port*:456',
];
return [
// empty defaults to false with 8.1
Expand Down Expand Up @@ -76,7 +81,27 @@ public function trustedDomainDataProvider() {
[$trustedHostTestList, 'localhost: evil.host', false],
// do not trust casting
[[1], '1', false],
// leading *
[$trustedHostTestList, 'abc.leading.host', true],
[$trustedHostTestList, 'abc.def.leading.host', true],
[$trustedHostTestList, 'abc.def.leading.host.another', false],
[$trustedHostTestList, 'abc.def.leading.host:123', true],
[$trustedHostTestList, 'leading.host', false],
// trailing *
[$trustedHostTestList, 'trailing.host', true],
[$trustedHostTestList, 'trailing.host.abc', true],
[$trustedHostTestList, 'trailing.host.abc.def', true],
[$trustedHostTestList, 'trailing.host.abc:123', true],
[$trustedHostTestList, 'another.trailing.host', false],
// center *
[$trustedHostTestList, 'center', true],
[$trustedHostTestList, 'cenxxxter', true],
[$trustedHostTestList, 'cen.x.y.ter', true],
// with port
[$trustedHostTestList, 'abc.leadingwith.port:123', true],
[$trustedHostTestList, 'abc.leadingwith.port:1234', false],
[$trustedHostTestList, 'trailingwith.port.abc:456', true],
[$trustedHostTestList, 'trailingwith.port.abc:123', false],
];
}

}