Skip to content
Snippets Groups Projects
Verified Commit b6927253 authored by Marius David Wieschollek's avatar Marius David Wieschollek
Browse files

Fix host issue

parent d74ea054
Branches testing
No related tags found
No related merge requests found
......@@ -13,30 +13,32 @@ namespace OCA\PasswordsHandbook\Controller;
use JetBrains\PhpStorm\Pure;
use OC\App\AppManager;
use OC\AppFramework\Http\Request;
use OCA\PasswordsHandbook\AppInfo\Application;
use OCA\PasswordsHandbook\Service\FeaturesService;
use OCP\App\AppPathNotFoundException;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\Attribute\NoAdminRequired;
use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
use OCP\AppFramework\Http\Attribute\NoTwoFactorRequired;
use OCP\AppFramework\Http\Attribute\PublicPage;
use OCP\AppFramework\Http\DataDisplayResponse;
use OCP\AppFramework\Http\NotFoundResponse;
use OCP\AppFramework\Http\Response;
use OCP\IConfig;
use OCP\IRequest;
use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
use OCP\AppFramework\Http\Attribute\PublicPage;
use OCP\AppFramework\Http\Attribute\NoAdminRequired;
use OCP\AppFramework\Http\Attribute\NoTwoFactorRequired;
class HandbookController extends Controller {
/**
* @param $appName
* @param IRequest $request
* @param IConfig $config
* @param AppManager $appManager
* @param FeaturesService $featuresService
*/
#[Pure] public function __construct($appName, IRequest $request, protected AppManager $appManager, protected FeaturesService $featuresService) {
#[Pure] public function __construct($appName, IRequest $request, protected IConfig $config, protected AppManager $appManager, protected FeaturesService $featuresService) {
parent::__construct($appName, $request);
}
......@@ -119,8 +121,61 @@ class HandbookController extends Controller {
}
protected function getHeaders(mixed $mime): array {
$requestUri = 'https://'.$this->request->getServerHost();
$origin = $this->request->getHeader('origin');
$allowOrigin = 'https://'.$this->getTrustedDomainFromURl($origin);
return ['content-type' => $mime, 'Access-Control-Allow-Origin' => $allowOrigin];
}
/**
* Mostly taken from \OC\Security\TrustedDomainHelper::isTrustedDomain
* except we don't check the overwritehost setting.
*/
public function getTrustedDomainFromURl(string $url): string {
$parsedUrl = parse_url($url);
if(empty($parsedUrl['host'])) {
return $this->request->getServerHost();
}
$domain = $parsedUrl['host'];
$domainWithPort = $domain.($parsedUrl['port'] ? ':'.$parsedUrl['port']:'');
// Read trusted domains from config
$trustedList = $this->config->getSystemValue('trusted_domains', []);
if(!is_array($trustedList)) {
return $this->request->getServerHost();
}
// Always allow access from localhost
if(preg_match(Request::REGEX_LOCALHOST, $domain) === 1) {
return $domain;
}
// Reject malformed domains in any case
if(str_starts_with($domain, '-') || str_contains($domain, '..')) {
return $this->request->getServerHost();
}
// Match, allowing for * wildcards
foreach($trustedList as $trusted) {
if(gettype($trusted) !== 'string') {
break;
}
$regex = '/^'.
implode(
'[-\.a-zA-Z0-9]*',
array_map(
function ($v) {
return preg_quote($v, '/');
},
explode('*', $trusted)
)
).
'$/i';
if(preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) {
return $domain;
}
}
return ['content-type' => $mime, 'Access-Control-Allow-Origin' => $requestUri];
return $this->request->getServerHost();
}
}
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment