Do only follow HTTP and HTTPS redirects

We do not want to follow redirects to other protocols since they might allow an adversary to bypass network restrictions. (i.e. a redirect to ftp:// might be used to access files of a FTP server which might be in a secure zone and not be reachable from the net but from the ownCloud server)

Get final redirect manually using get_headers()

Migrate to HTTPHelper class and add unit tests
remotes/origin/fix-10825
Lukas Reschke 10 years ago
parent 70937dabcd
commit 6eeb905871
  1. 9
      apps/files/ajax/newfile.php
  2. 4
      lib/private/files/storage/dav.php
  3. 177
      lib/private/httphelper.php
  4. 12
      lib/private/server.php
  5. 2
      lib/private/user/http.php
  6. 100
      lib/private/util.php
  7. 6
      lib/public/iservercontainer.php
  8. 88
      tests/lib/httphelper.php

@ -46,6 +46,7 @@ function progress($notification_code, $severity, $message, $message_code, $bytes
}
}
$l10n = \OC::$server->getL10N('files');
$result = array(
@ -93,7 +94,8 @@ if (\OC\Files\Filesystem::file_exists($target)) {
}
if($source) {
if(substr($source, 0, 8)!='https://' and substr($source, 0, 7)!='http://') {
$httpHelper = \OC::$server->getHTTPHelper();
if(!$httpHelper->isHTTPURL($source)) {
OCP\JSON::error(array('data' => array('message' => $l10n->t('Not a valid source'))));
exit();
}
@ -104,7 +106,10 @@ if($source) {
exit();
}
$ctx = stream_context_create(null, array('notification' =>'progress'));
$source = $httpHelper->getFinalLocationOfURL($source);
$ctx = stream_context_create(\OC::$server->getHTTPHelper()->getDefaultContextArray(), array('notification' =>'progress'));
$sourceStream=@fopen($source, 'rb', false, $ctx);
$result = 0;
if (is_resource($sourceStream)) {

@ -177,6 +177,8 @@ class DAV extends \OC\Files\Storage\Common {
curl_setopt($curl, CURLOPT_URL, $this->createBaseUri() . $this->encodePath($path));
curl_setopt($curl, CURLOPT_FILE, $fp);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
curl_setopt($curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
if ($this->secure === true) {
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);
@ -282,6 +284,8 @@ class DAV extends \OC\Files\Storage\Common {
curl_setopt($curl, CURLOPT_INFILESIZE, filesize($path));
curl_setopt($curl, CURLOPT_PUT, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
curl_setopt($curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
if ($this->secure === true) {
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);

@ -0,0 +1,177 @@
<?php
/**
* Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com>
* This file is licensed under the Affero General Public License version 3 or
* later.
* See the COPYING-README file.
*/
namespace OC;
class HTTPHelper {
const USER_AGENT = 'ownCloud Server Crawler';
/** @var \OC\AllConfig */
private $config;
/**
* @param \OC\AllConfig $config
*/
public function __construct(AllConfig $config) {
$this->config = $config;
}
/**
* Returns the default context array
* @return array
*/
public function getDefaultContextArray() {
return array(
'http' => array(
'header' => 'User-Agent: ' . self::USER_AGENT . "\r\n",
'timeout' => 10,
'follow_location' => false, // Do not follow the location since we can't limit the protocol
),
'ssl' => array(
'disable_compression' => true
)
);
}
/**
* Get URL content
* @param string $url Url to get content
* @throws \Exception If the URL does not start with http:// or https://
* @return string of the response or false on error
* This function get the content of a page via curl, if curl is enabled.
* If not, file_get_contents is used.
*/
public function getUrlContent($url) {
if (!$this->isHTTPURL($url)) {
throw new \Exception('$url must start with https:// or http://', 1);
}
$proxy = $this->config->getSystemValue('proxy', null);
$proxyUserPwd = $this->config->getSystemValue('proxyuserpwd', null);
if (function_exists('curl_init')) {
$curl = curl_init();
$max_redirects = 10;
curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
curl_setopt($curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
curl_setopt($curl, CURLOPT_USERAGENT, self::USER_AGENT);
if ($proxy !== null) {
curl_setopt($curl, CURLOPT_PROXY, $proxy);
}
if ($proxyUserPwd !== null) {
curl_setopt($curl, CURLOPT_PROXYUSERPWD, $proxyUserPwd);
}
if (ini_get('open_basedir') === '' && (ini_get('safe_mode') === false) || strtolower(ini_get('safe_mode')) === 'off') {
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_MAXREDIRS, $max_redirects);
$data = curl_exec($curl);
} else {
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, false);
$mr = $max_redirects;
if ($mr > 0) {
$newURL = curl_getinfo($curl, CURLINFO_EFFECTIVE_URL);
$rcurl = curl_copy_handle($curl);
curl_setopt($rcurl, CURLOPT_HEADER, true);
curl_setopt($rcurl, CURLOPT_NOBODY, true);
curl_setopt($rcurl, CURLOPT_FORBID_REUSE, false);
curl_setopt($rcurl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($rcurl, CURLOPT_USERAGENT, self::USER_AGENT);
do {
curl_setopt($rcurl, CURLOPT_URL, $newURL);
$header = curl_exec($rcurl);
if (curl_errno($rcurl)) {
$code = 0;
} else {
$code = curl_getinfo($rcurl, CURLINFO_HTTP_CODE);
if ($code == 301 || $code == 302) {
preg_match('/Location:(.*?)\n/', $header, $matches);
$newURL = trim(array_pop($matches));
} else {
$code = 0;
}
}
} while ($code && --$mr);
curl_close($rcurl);
if ($mr > 0) {
curl_setopt($curl, CURLOPT_URL, $newURL);
}
}
if ($mr == 0 && $max_redirects > 0) {
$data = false;
} else {
$data = curl_exec($curl);
}
}
curl_close($curl);
} else {
$url = $this->getFinalLocationOfURL($url);
$contextArray = $this->getDefaultContextArray();
if ($proxy !== null) {
$contextArray['http']['proxy'] = $proxy;
}
$ctx = stream_context_create(
$contextArray
);
$data = @file_get_contents($url, 0, $ctx);
}
return $data;
}
/**
* Returns the response headers of a HTTP URL without following redirects
* @param string $location Needs to be a HTTPS or HTTP URL
* @return array
*/
public function getHeaders($location) {
stream_context_set_default($this->getDefaultContextArray());
return get_headers($location, 1);
}
/**
* Checks whether the supplied URL begins with HTTPS:// or HTTP:// (case insensitive)
* @param string $url
* @return bool
*/
public function isHTTPURL($url) {
return stripos($url, 'https://') === 0 || stripos($url, 'http://') === 0;
}
/**
* Returns the last HTTP or HTTPS site the request has been redirected too using the Location HTTP header
* This is a very ugly workaround about the missing functionality to restrict fopen() to protocols
* @param string $location Needs to be a HTTPS or HTTP URL
* @throws \Exception In case the initial URL is not a HTTP or HTTPS one
* @return string
*/
public function getFinalLocationOfURL($location) {
if(!$this->isHTTPURL($location)) {
throw new \Exception('URL must begin with HTTPS or HTTP.');
}
$headerArray = $this->getHeaders($location, 1);
if($headerArray !== false && isset($headerArray['Location'])) {
while($this->isHTTPURL($headerArray['Location'])) {
$location = $headerArray['Location'];
$headerArray = $this->getHeaders($location);
}
}
return $location;
}
}

@ -212,6 +212,10 @@ class Server extends SimpleContainer implements IServerContainer {
$this->registerService('Db', function ($c) {
return new Db();
});
$this->registerService('HTTPHelper', function (SimpleContainer $c) {
$config = $c->query('AllConfig');
return new HTTPHelper($config);
});
}
/**
@ -502,6 +506,14 @@ class Server extends SimpleContainer implements IServerContainer {
return $this->query('Db');
}
/**
* Returns an instance of the HTTP helper class
* @return \OC\HTTPHelper
*/
function getHTTPHelper() {
return $this->query('HTTPHelper');
}
/**
* Get the certificate manager for the user
*

@ -72,6 +72,8 @@ class OC_User_HTTP extends OC_User_Backend {
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_USERPWD, $user.':'.$password);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
curl_setopt($ch, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
curl_exec($ch);

@ -5,8 +5,6 @@
*
*/
class OC_Util {
const USER_AGENT = 'ownCloud Server Crawler';
public static $scripts = array();
public static $styles = array();
public static $headers = array();
@ -1199,106 +1197,20 @@ class OC_Util {
}
/**
* @Brief Get file content via curl.
* Get URL content
* @param string $url Url to get content
* @deprecated Use \OC::$server->getHTTPHelper()->getUrlContent($url);
* @throws Exception If the URL does not start with http:// or https://
* @return string of the response or false on error
* This function get the content of a page via curl, if curl is enabled.
* If not, file_get_contents is used.
*/
public static function getUrlContent($url) {
if (strpos($url, 'http://') !== 0 && strpos($url, 'https://') !== 0) {
throw new Exception('$url must start with https:// or http://', 1);
}
if (function_exists('curl_init')) {
$curl = curl_init();
$max_redirects = 10;
curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_USERAGENT, self::USER_AGENT);
if (OC_Config::getValue('proxy', '') != '') {
curl_setopt($curl, CURLOPT_PROXY, OC_Config::getValue('proxy'));
}
if (OC_Config::getValue('proxyuserpwd', '') != '') {
curl_setopt($curl, CURLOPT_PROXYUSERPWD, OC_Config::getValue('proxyuserpwd'));
}
if (ini_get('open_basedir') === '' && ini_get('safe_mode') === 'Off') {
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_MAXREDIRS, $max_redirects);
$data = curl_exec($curl);
} else {
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, false);
$mr = $max_redirects;
if ($mr > 0) {
$newURL = curl_getinfo($curl, CURLINFO_EFFECTIVE_URL);
$rcurl = curl_copy_handle($curl);
curl_setopt($rcurl, CURLOPT_HEADER, true);
curl_setopt($rcurl, CURLOPT_NOBODY, true);
curl_setopt($rcurl, CURLOPT_FORBID_REUSE, false);
curl_setopt($rcurl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($rcurl, CURLOPT_USERAGENT, self::USER_AGENT);
do {
curl_setopt($rcurl, CURLOPT_URL, $newURL);
$header = curl_exec($rcurl);
if (curl_errno($rcurl)) {
$code = 0;
} else {
$code = curl_getinfo($rcurl, CURLINFO_HTTP_CODE);
if ($code == 301 || $code == 302) {
preg_match('/Location:(.*?)\n/', $header, $matches);
$newURL = trim(array_pop($matches));
} else {
$code = 0;
}
}
} while ($code && --$mr);
curl_close($rcurl);
if ($mr > 0) {
curl_setopt($curl, CURLOPT_URL, $newURL);
}
}
if ($mr == 0 && $max_redirects > 0) {
$data = false;
} else {
$data = curl_exec($curl);
}
}
curl_close($curl);
} else {
$contextArray = null;
if (OC_Config::getValue('proxy', '') != '') {
$contextArray = array(
'http' => array(
'header' => 'User-Agent: ' . self::USER_AGENT . "\r\n",
'timeout' => 10,
'proxy' => OC_Config::getValue('proxy')
)
);
} else {
$contextArray = array(
'http' => array(
'header' => 'User-Agent: ' . self::USER_AGENT . "\r\n",
'timeout' => 10
)
);
}
$ctx = stream_context_create(
$contextArray
);
$data = @file_get_contents($url, 0, $ctx);
try {
return \OC::$server->getHTTPHelper()->getUrlContent($url);
} catch (\Exception $e) {
throw $e;
}
return $data;
}
/**

@ -242,4 +242,10 @@ interface IServerContainer {
* @return \OCP\IEventSource
*/
function createEventSource();
/**
* Returns an instance of the HTTP helper class
* @return \OC\HTTPHelper
*/
function getHTTPHelper();
}

@ -0,0 +1,88 @@
<?php
/**
* Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com>
* This file is licensed under the Affero General Public License version 3 or
* later.
* See the COPYING-README file.
*/
class TestHTTPHelper extends \PHPUnit_Framework_TestCase {
/** @var \OC\AllConfig*/
private $config;
/** @var \OC\HTTPHelper */
private $httpHelperMock;
function setUp() {
$this->config = $this->getMockBuilder('\OC\AllConfig')
->disableOriginalConstructor()->getMock();
$this->httpHelperMock = $this->getMockBuilder('\OC\HTTPHelper')
->setConstructorArgs(array($this->config))
->setMethods(array('getHeaders'))
->getMock();
}
public function testIsHTTPProvider() {
return array(
array('http://wwww.owncloud.org/enterprise/', true),
array('https://wwww.owncloud.org/enterprise/', true),
array('HTTPS://WWW.OWNCLOUD.ORG', true),
array('HTTP://WWW.OWNCLOUD.ORG', true),
array('FILE://WWW.OWNCLOUD.ORG', false),
array('file://www.owncloud.org', false),
array('FTP://WWW.OWNCLOUD.ORG', false),
array('ftp://www.owncloud.org', false),
);
}
/**
* Note: Not using a dataprovider because onConsecutiveCalls expects not
* an array but the function arguments directly
*/
public function testGetFinalLocationOfURLValid() {
$url = 'https://www.owncloud.org/enterprise/';
$expected = 'https://www.owncloud.com/enterprise/';
$this->httpHelperMock->expects($this->any())
->method('getHeaders')
->will($this->onConsecutiveCalls(
array('Location' => 'http://www.owncloud.com/enterprise/'),
array('Location' => 'https://www.owncloud.com/enterprise/')
));
$result = $this->httpHelperMock->getFinalLocationOfURL($url);
$this->assertSame($expected, $result);
}
/**
* Note: Not using a dataprovider because onConsecutiveCalls expects not
* an array but the function arguments directly
*/
public function testGetFinalLocationOfURLInvalid() {
$url = 'https://www.owncloud.org/enterprise/';
$expected = 'http://www.owncloud.com/enterprise/';
$this->httpHelperMock->expects($this->any())
->method('getHeaders')
->will($this->onConsecutiveCalls(
array('Location' => 'http://www.owncloud.com/enterprise/'),
array('Location' => 'file://etc/passwd'),
array('Location' => 'http://www.example.com/')
));
$result = $this->httpHelperMock->getFinalLocationOfURL($url);
$this->assertSame($expected, $result);
}
/**
* @expectedException \Exception
* @expectedExceptionMessage URL must begin with HTTPS or HTTP.
*/
public function testGetFinalLocationOfURLException() {
$this->httpHelperMock->getFinalLocationOfURL('file://etc/passwd');
}
/**
* @dataProvider testIsHTTPProvider
*/
public function testIsHTTP($url, $expected) {
$this->assertSame($expected, $this->httpHelperMock->isHTTPURL($url));
}
}
Loading…
Cancel
Save