|
|
|
|
@ -86,13 +86,13 @@ class OC_Request { |
|
|
|
|
* of trusted domains. If no trusted domains have been configured, returns |
|
|
|
|
* true. |
|
|
|
|
* This is used to prevent Host Header Poisoning. |
|
|
|
|
* @param string $domain |
|
|
|
|
* @param string $domainWithPort |
|
|
|
|
* @return bool true if the given domain is trusted or if no trusted domains |
|
|
|
|
* have been configured |
|
|
|
|
*/ |
|
|
|
|
public static function isTrustedDomain($domain) { |
|
|
|
|
public static function isTrustedDomain($domainWithPort) { |
|
|
|
|
// Extract port from domain if needed |
|
|
|
|
$domain = self::getDomainWithoutPort($domain); |
|
|
|
|
$domain = self::getDomainWithoutPort($domainWithPort); |
|
|
|
|
|
|
|
|
|
// FIXME: Empty config array defaults to true for now. - Deprecate this behaviour with ownCloud 8. |
|
|
|
|
$trustedList = \OC::$server->getConfig()->getSystemValue('trusted_domains', array()); |
|
|
|
|
@ -100,6 +100,11 @@ class OC_Request { |
|
|
|
|
return true; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// FIXME: Workaround for older instances still with port applied. Remove for ownCloud 9. |
|
|
|
|
if(in_array($domainWithPort, $trustedList)) { |
|
|
|
|
return true; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// Always allow access from localhost |
|
|
|
|
if (preg_match(self::REGEX_LOCALHOST, $domain) === 1) { |
|
|
|
|
return true; |
|
|
|
|
|
Lukas Reschke
12 years ago