Skip to content
Snippets Groups Projects
Unverified Commit 8331d829 authored by Daniel Kesselberg's avatar Daniel Kesselberg
Browse files

Make getServerHost more robust to faulty user input 


Signed-off-by: default avatarDaniel Kesselberg <mail@danielkesselberg.de>
parent 5de3ea04
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
lib/private/AppFramework/Http/Request.php
+ 7
7
View file @ 8331d829
...@@ -904,14 +904,14 @@ class Request implements \ArrayAccess, \Countable, IRequest { ...@@ -904,14 +904,14 @@ class Request implements \ArrayAccess, \Countable, IRequest {
$trustedDomainHelper = new TrustedDomainHelper($this->config); $trustedDomainHelper = new TrustedDomainHelper($this->config);
if ($trustedDomainHelper->isTrustedDomain($host)) { if ($trustedDomainHelper->isTrustedDomain($host)) {
return $host; return $host;
} else {
$trustedList = $this->config->getSystemValue('trusted_domains', []);
if(!empty($trustedList)) {
return $trustedList[0];
} else {
return '';
}
} }
$trustedList = (array)$this->config->getSystemValue('trusted_domains', []);
if (count($trustedList) > 0) {
return reset($trustedList);
}
return '';
} }
/** /**
......
tests/lib/AppFramework/Http/RequestTest.php
+ 46
0
View file @ 8331d829
...@@ -1222,6 +1222,52 @@ class RequestTest extends \Test\TestCase { ...@@ -1222,6 +1222,52 @@ class RequestTest extends \Test\TestCase {
$this->assertSame('', $request->getServerHost()); $this->assertSame('', $request->getServerHost());
} }
/**
* @return array
*/
public function dataGetServerHostTrustedDomain() {
return [
'is array' => ['my.trusted.host', ['my.trusted.host']],
'is array but undefined index 0' => ['my.trusted.host', [2 => 'my.trusted.host']],
'is string' => ['my.trusted.host', 'my.trusted.host'],
'is null' => ['', null],
];
}
/**
* @dataProvider dataGetServerHostTrustedDomain
* @param $expected
* @param $trustedDomain
*/
public function testGetServerHostTrustedDomain($expected, $trustedDomain) {
$this->config
->method('getSystemValue')
->willReturnCallback(function ($key, $default) use ($trustedDomain) {
if ($key === 'trusted_proxies') {
return ['1.2.3.4'];
}
if ($key === 'trusted_domains') {
return $trustedDomain;
}
return $default;
});
$request = new Request(
[
'server' => [
'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
'REMOTE_ADDR' => '1.2.3.4',
],
],
$this->secureRandom,
$this->config,
$this->csrfTokenManager,
$this->stream
);
$this->assertSame($expected, $request->getServerHost());
}
public function testGetOverwriteHostDefaultNull() { public function testGetOverwriteHostDefaultNull() {
$this->config $this->config
->expects($this->once()) ->expects($this->once())
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment