From bc4d71bc3d3d7a8ee07edd2ab6c2d18bbbb02de4 Mon Sep 17 00:00:00 2001 From: Carl Schwan Date: Wed, 14 Jul 2021 11:27:01 +0200 Subject: [PATCH] Fix IDN domain name not being allowed The filter_var function is unfortunately not perfect and doesn't support domain with unicode as well as url with underscores. Replace usage with a regex from Symfony validator. See https://bugs.php.net/search.php?cmd=display&search_for=FILTER_VALIDATE_URL Closes #27906 Signed-off-by: Carl Schwan --- .../lib/Controller/SettingsController.php | 3 +- .../lib/Controller/ThemingController.php | 15 +++------ apps/theming/lib/ThemingDefaults.php | 3 +- lib/private/Setup.php | 5 +-- lib/public/Util.php | 32 +++++++++++++++++++ 5 files changed, 43 insertions(+), 15 deletions(-) diff --git a/apps/oauth2/lib/Controller/SettingsController.php b/apps/oauth2/lib/Controller/SettingsController.php index 2850012862988..605c64665e221 100644 --- a/apps/oauth2/lib/Controller/SettingsController.php +++ b/apps/oauth2/lib/Controller/SettingsController.php @@ -40,6 +40,7 @@ use OCP\IL10N; use OCP\IRequest; use OCP\Security\ISecureRandom; +use OCP\Util; class SettingsController extends Controller { /** @var ClientMapper */ @@ -81,7 +82,7 @@ public function __construct(string $appName, public function addClient(string $name, string $redirectUri): JSONResponse { - if (filter_var($redirectUri, FILTER_VALIDATE_URL) === false) { + if (!Util::isValidUrl($redirectUri)) { return new JSONResponse(['message' => $this->l->t('Your redirect URL needs to be a full URL for example: https://yourdomain.com/path')], Http::STATUS_BAD_REQUEST); } diff --git a/apps/theming/lib/Controller/ThemingController.php b/apps/theming/lib/Controller/ThemingController.php index 82cb15037ceaf..a416a95c7acb8 100644 --- a/apps/theming/lib/Controller/ThemingController.php +++ b/apps/theming/lib/Controller/ThemingController.php @@ -54,6 +54,7 @@ use OCP\IRequest; use OCP\ITempManager; use OCP\IURLGenerator; +use OCP\Util; /** * Class ThemingController @@ -143,7 +144,7 @@ public function updateStylesheet($setting, $value) { if (strlen($value) > 500) { $error = $this->l10n->t('The given web address is too long'); } - if (!$this->isValidUrl($value)) { + if (!Util::isValidUrl($value)) { $error = $this->l10n->t('The given web address is not a valid URL'); } break; @@ -151,7 +152,7 @@ public function updateStylesheet($setting, $value) { if (strlen($value) > 500) { $error = $this->l10n->t('The given legal notice address is too long'); } - if (!$this->isValidUrl($value)) { + if (!Util::isValidUrl($value)) { $error = $this->l10n->t('The given legal notice address is not a valid URL'); } break; @@ -159,7 +160,7 @@ public function updateStylesheet($setting, $value) { if (strlen($value) > 500) { $error = $this->l10n->t('The given privacy policy address is too long'); } - if (!$this->isValidUrl($value)) { + if (!Util::isValidUrl($value)) { $error = $this->l10n->t('The given privacy policy address is not a valid URL'); } break; @@ -200,14 +201,6 @@ public function updateStylesheet($setting, $value) { ); } - /** - * Check that a string is a valid http/https url - */ - private function isValidUrl(string $url): bool { - return ((strpos($url, 'http://') === 0 || strpos($url, 'https://') === 0) && - filter_var($url, FILTER_VALIDATE_URL) !== false); - } - /** * @AuthorizedAdminSetting(settings=OCA\Theming\Settings\Admin) * @return DataResponse diff --git a/apps/theming/lib/ThemingDefaults.php b/apps/theming/lib/ThemingDefaults.php index 3bfccda4a4322..ed4118775d8da 100644 --- a/apps/theming/lib/ThemingDefaults.php +++ b/apps/theming/lib/ThemingDefaults.php @@ -49,6 +49,7 @@ use OCP\IL10N; use OCP\INavigationManager; use OCP\IURLGenerator; +use OCP\Util as OCPUtil; class ThemingDefaults extends \OC_Defaults { @@ -204,7 +205,7 @@ public function getShortFooter() { $divider = ''; foreach ($links as $link) { if ($link['url'] !== '' - && filter_var($link['url'], FILTER_VALIDATE_URL) + && OCPUtil::isValidUrl($link['url']) ) { $legalLinks .= $divider . '' . $link['text'] . ''; diff --git a/lib/private/Setup.php b/lib/private/Setup.php index a7f0f190fa292..dd108fe225c6e 100644 --- a/lib/private/Setup.php +++ b/lib/private/Setup.php @@ -62,6 +62,7 @@ use OCP\IL10N; use OCP\Security\ISecureRandom; use Psr\Log\LoggerInterface; +use OCP\Util; class Setup { /** @var SystemConfig */ @@ -340,7 +341,7 @@ public function install($options) { 'trusted_domains' => $trustedDomains, 'datadirectory' => $dataDir, 'dbtype' => $dbType, - 'version' => implode('.', \OCP\Util::getVersion()), + 'version' => implode('.', Util::getVersion()), ]; if ($this->config->getValue('overwrite.cli.url', null) === null) { @@ -477,7 +478,7 @@ private static function findWebRoot(SystemConfig $config): string { if ($webRoot === '') { throw new InvalidArgumentException('overwrite.cli.url is empty'); } - if (!filter_var($webRoot, FILTER_VALIDATE_URL)) { + if (!Util::isValidUrl($webRoot)) { throw new InvalidArgumentException('invalid value for overwrite.cli.url'); } $webRoot = rtrim(parse_url($webRoot, PHP_URL_PATH), '/'); diff --git a/lib/public/Util.php b/lib/public/Util.php index 5165846707a66..c54b3982845e8 100644 --- a/lib/public/Util.php +++ b/lib/public/Util.php @@ -513,4 +513,36 @@ public static function needUpgrade() { } return self::$needUpgradeCache; } + + /** + * Checks whether the given URL is valid. This function should be + * used instead of filter_var($url, FILTER_VALIDATE_URL) since it + * handles idn urls too. + * + * @return bool true if the url is valid, false otherwise. + * @since 23.0.0 + */ + public static function isValidUrl(string $url, array $protocols = ['http', 'https']): bool { + // from https://github.com/symfony/validator/blob/14337bdf9e2e0b2e3385c9e90f13325f0c95a4f9/Constraints/UrlValidator.php#L24 + // Author: Bernhard Schussek + $pattern = '~^ + (%s):// # protocol + (((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+:)?((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+)@)? # basic auth + ( + ([\pL\pN\pS\-\_\.])+(\.?([\pL\pN]|xn\-\-[\pL\pN-]+)+\.?) # a domain name + | # or + \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} # an IP address + | # or + \[ + (?:(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){6})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:::(?:(?:(?:[0-9a-f]{1,4})):){5})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:[0-9a-f]{1,4})))?::(?:(?:(?:[0-9a-f]{1,4})):){4})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,1}(?:(?:[0-9a-f]{1,4})))?::(?:(?:(?:[0-9a-f]{1,4})):){3})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,2}(?:(?:[0-9a-f]{1,4})))?::(?:(?:(?:[0-9a-f]{1,4})):){2})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,3}(?:(?:[0-9a-f]{1,4})))?::(?:(?:[0-9a-f]{1,4})):)(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,4}(?:(?:[0-9a-f]{1,4})))?::)(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,5}(?:(?:[0-9a-f]{1,4})))?::)(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,6}(?:(?:[0-9a-f]{1,4})))?::)))) + \] # an IPv6 address + ) + (:[0-9]+)? # a port (optional) + (?:/ (?:[\pL\pN\-._\~!$&\'()*+,;=:@]|%%[0-9A-Fa-f]{2})* )* # a path + (?:\? (?:[\pL\pN\-._\~!$&\'\[\]()*+,;=:@/?]|%%[0-9A-Fa-f]{2})* )? # a query (optional) + (?:\# (?:[\pL\pN\-._\~!$&\'()*+,;=:@/?]|%%[0-9A-Fa-f]{2})* )? # a fragment (optional) + $~ixu'; + $pattern = sprintf($pattern, implode('|', $protocols)); + return preg_match($pattern, $url) !== false; + } }