fix(security): Handle idn_to_utf8 returning false

Signed-off-by: Joas Schilling <coding@schilljs.com>
2 years ago · 33e1c8b236
parent df7bc46eab
commit 33e1c8b236
3 changed files with 17 additions and 3 deletions
--- a/lib/private/Security/RemoteHostValidator.php
+++ b/lib/private/Security/RemoteHostValidator.php
@ -52,6 +52,10 @@ final class RemoteHostValidator implements IRemoteHostValidator {
 		}

 		$host = idn_to_utf8(strtolower(urldecode($host)));
+		if ($host === false) {
+			return false;
+		}
+
 		// Remove brackets from IPv6 addresses
 		if (str_starts_with($host, '[') && str_ends_with($host, ']')) {
 			$host = substr($host, 1, -1);
--- a/tests/lib/Http/Client/ClientTest.php
+++ b/tests/lib/Http/Client/ClientTest.php
@ -149,6 +149,7 @@ class ClientTest extends \Test\TestCase {
 			['https://service.localhost'],
 			['!@#$', true], // test invalid url
 			['https://normal.host.com'],
+			['https://com.one-.nextcloud-one.com'],
 		];
 	}

--- a/tests/lib/Security/RemoteHostValidatorTest.php
+++ b/tests/lib/Security/RemoteHostValidatorTest.php
@ -60,8 +60,17 @@ class RemoteHostValidatorTest extends TestCase {
 		);
 	}

-	public function testValid(): void {
-		$host = 'nextcloud.com';
+	public function dataValid(): array {
+		return [
+			['nextcloud.com', true],
+			['com.one-.nextcloud-one.com', false],
+		];
+	}
+
+	/**
+	 * @dataProvider dataValid
+	 */
+	public function testValid(string $host, bool $expected): void {
 		$this->hostnameClassifier
 			->method('isLocalHostname')
 			->with($host)
@ -73,7 +82,7 @@ class RemoteHostValidatorTest extends TestCase {

 		$valid = $this->validator->isValid($host);

-		self::assertTrue($valid);
+		self::assertSame($expected, $valid);
 	}

 	public function testLocalHostname(): void {