From 66a134e69e45cfe507c19983760035a3beb48f8a Mon Sep 17 00:00:00 2001
From: Johannes Ernst <jernst@indiecomputing.com>
Date: Wed, 6 Jul 2016 23:51:04 +0000
Subject: [PATCH] Disallow certain malformed domain names even if they match
 the trusted domain expression Stricter checking for valid domain names

---
 lib/private/Security/TrustedDomainHelper.php   | 9 ++++++---
 tests/lib/Security/TrustedDomainHelperTest.php | 4 ++++
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/private/Security/TrustedDomainHelper.php b/lib/private/Security/TrustedDomainHelper.php
index 44e133746fd..cf4def63dd3 100644
--- a/lib/private/Security/TrustedDomainHelper.php
+++ b/lib/private/Security/TrustedDomainHelper.php
@@ -78,13 +78,16 @@ class TrustedDomainHelper {
 		if (preg_match(Request::REGEX_LOCALHOST, $domain) === 1) {
 			return true;
 		}
-
-		// match, allowing for * wildcards
+		// Reject misformed domains in any case
+		if (strpos($domain,'-') === 0 || strpos($domain,'..') !== false) {
+			return false;
+		}
+		// Match, allowing for * wildcards
 		foreach ($trustedList as $trusted) {
 			if (gettype($trusted) !== 'string') {
 				break;
 			}
-			$regex = '/^' . join('.*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/';
+			$regex = '/^' . join('[-\.a-zA-Z0-9]*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/';
 			if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) {
  				return true;
  			}
diff --git a/tests/lib/Security/TrustedDomainHelperTest.php b/tests/lib/Security/TrustedDomainHelperTest.php
index 6c254dcaa79..1beb7a66717 100644
--- a/tests/lib/Security/TrustedDomainHelperTest.php
+++ b/tests/lib/Security/TrustedDomainHelperTest.php
@@ -102,6 +102,10 @@ class TrustedDomainHelperTest extends \Test\TestCase {
 			[$trustedHostTestList, 'abc.leadingwith.port:1234', false],
 			[$trustedHostTestList, 'trailingwith.port.abc:456', true],
 			[$trustedHostTestList, 'trailingwith.port.abc:123', false],
+			// bad hostname
+			[$trustedHostTestList, '-bad', false],
+			[$trustedHostTestList, '-bad.leading.host', false],
+			[$trustedHostTestList, 'bad..der.leading.host', false],
 		];
 	}
 }
-- 
GitLab