From 6b895462ac12c72555981120a85c2fe6c5a9df06 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Mon, 4 Dec 2023 10:38:46 +0100 Subject: [PATCH] fix(security): Handle idn_to_utf8 returning false Signed-off-by: Joas Schilling --- lib/private/Security/RemoteHostValidator.php | 4 ++++ tests/lib/Http/Client/ClientTest.php | 1 + tests/lib/Security/RemoteHostValidatorTest.php | 15 ++++++++++++--- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/lib/private/Security/RemoteHostValidator.php b/lib/private/Security/RemoteHostValidator.php index e48bd86247256..dc6fdaf222a44 100644 --- a/lib/private/Security/RemoteHostValidator.php +++ b/lib/private/Security/RemoteHostValidator.php @@ -60,6 +60,10 @@ public function isValid(string $host): bool { } $host = idn_to_utf8(strtolower(urldecode($host))); + if ($host === false) { + return false; + } + // Remove brackets from IPv6 addresses if (strpos($host, '[') === 0 && substr($host, -1) === ']') { $host = substr($host, 1, -1); diff --git a/tests/lib/Http/Client/ClientTest.php b/tests/lib/Http/Client/ClientTest.php index e48e237e0cc7a..4d937b6c0f20c 100644 --- a/tests/lib/Http/Client/ClientTest.php +++ b/tests/lib/Http/Client/ClientTest.php @@ -148,6 +148,7 @@ public function dataPreventLocalAddress():array { ['https://service.localhost'], ['!@#$', true], // test invalid url ['https://normal.host.com'], + ['https://com.one-.nextcloud-one.com'], ]; } diff --git a/tests/lib/Security/RemoteHostValidatorTest.php b/tests/lib/Security/RemoteHostValidatorTest.php index 030a75b1e79ec..b1371d9343c39 100644 --- a/tests/lib/Security/RemoteHostValidatorTest.php +++ b/tests/lib/Security/RemoteHostValidatorTest.php @@ -60,8 +60,17 @@ protected function setUp(): void { ); } - public function testValid(): void { - $host = 'nextcloud.com'; + public function dataValid(): array { + return [ + ['nextcloud.com', true], + ['com.one-.nextcloud-one.com', false], + ]; + } + + /** + * @dataProvider dataValid + */ + public function testValid(string $host, bool $expected): void { $this->hostnameClassifier ->method('isLocalHostname') ->with($host) @@ -73,7 +82,7 @@ public function testValid(): void { $valid = $this->validator->isValid($host); - self::assertTrue($valid); + self::assertSame($expected, $valid); } public function testLocalHostname(): void {