Fix IDN domain name not being allowed

The filter_var function is unfortunately not perfect and doesn't support domain with unicode as well as url with underscores. Replace usage with a regex from Symfony validator. See https://bugs.php.net/search.php?cmd=display&search_for=FILTER_VALIDATE_URL Closes #27906 Signed-off-by: Carl Schwan <[email protected]>
nextcloud · Oct 21, 2021 · bc4d71b · bc4d71b
1 parent 9a8bb5e
commit bc4d71b
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 15 deletions.
diff --git a/apps/oauth2/lib/Controller/SettingsController.php b/apps/oauth2/lib/Controller/SettingsController.php
@@ -40,6 +40,7 @@
 use OCP\IL10N;
 use OCP\IRequest;
 use OCP\Security\ISecureRandom;
+use OCP\Util;
 
 class SettingsController extends Controller {
 	/** @var ClientMapper */
@@ -81,7 +82,7 @@ public function __construct(string $appName,
 
 	public function addClient(string $name,
 							  string $redirectUri): JSONResponse {
-		if (filter_var($redirectUri, FILTER_VALIDATE_URL) === false) {
+		if (!Util::isValidUrl($redirectUri)) {
 			return new JSONResponse(['message' => $this->l->t('Your redirect URL needs to be a full URL for example: https://yourdomain.com/path')], Http::STATUS_BAD_REQUEST);
 		}
 

diff --git a/apps/theming/lib/Controller/ThemingController.php b/apps/theming/lib/Controller/ThemingController.php
@@ -54,6 +54,7 @@
 use OCP\IRequest;
 use OCP\ITempManager;
 use OCP\IURLGenerator;
+use OCP\Util;
 
 /**
  * Class ThemingController
@@ -143,23 +144,23 @@ public function updateStylesheet($setting, $value) {
 				if (strlen($value) > 500) {
 					$error = $this->l10n->t('The given web address is too long');
 				}
-				if (!$this->isValidUrl($value)) {
+				if (!Util::isValidUrl($value)) {
 					$error = $this->l10n->t('The given web address is not a valid URL');
 				}
 				break;
 			case 'imprintUrl':
 				if (strlen($value) > 500) {
 					$error = $this->l10n->t('The given legal notice address is too long');
 				}
-				if (!$this->isValidUrl($value)) {
+				if (!Util::isValidUrl($value)) {
 					$error = $this->l10n->t('The given legal notice address is not a valid URL');
 				}
 				break;
 			case 'privacyUrl':
 				if (strlen($value) > 500) {
 					$error = $this->l10n->t('The given privacy policy address is too long');
 				}
-				if (!$this->isValidUrl($value)) {
+				if (!Util::isValidUrl($value)) {
 					$error = $this->l10n->t('The given privacy policy address is not a valid URL');
 				}
 				break;
@@ -200,14 +201,6 @@ public function updateStylesheet($setting, $value) {
 		);
 	}
 
-	/**
-	 * Check that a string is a valid http/https url
-	 */
-	private function isValidUrl(string $url): bool {
-		return ((strpos($url, 'http://') === 0 || strpos($url, 'https://') === 0) &&
-			filter_var($url, FILTER_VALIDATE_URL) !== false);
-	}
-
 	/**
 	 * @AuthorizedAdminSetting(settings=OCA\Theming\Settings\Admin)
 	 * @return DataResponse

diff --git a/apps/theming/lib/ThemingDefaults.php b/apps/theming/lib/ThemingDefaults.php
@@ -49,6 +49,7 @@
 use OCP\IL10N;
 use OCP\INavigationManager;
 use OCP\IURLGenerator;
+use OCP\Util as OCPUtil;
 
 class ThemingDefaults extends \OC_Defaults {
 
@@ -204,7 +205,7 @@ public function getShortFooter() {
 		$divider = '';
 		foreach ($links as $link) {
 			if ($link['url'] !== ''
-				&& filter_var($link['url'], FILTER_VALIDATE_URL)
+				&& OCPUtil::isValidUrl($link['url'])
 			) {
 				$legalLinks .= $divider . '<a href="' . $link['url'] . '" class="legal" target="_blank"' .
 					' rel="noreferrer noopener">' . $link['text'] . '</a>';

diff --git a/lib/private/Setup.php b/lib/private/Setup.php
@@ -62,6 +62,7 @@
 use OCP\IL10N;
 use OCP\Security\ISecureRandom;
 use Psr\Log\LoggerInterface;
+use OCP\Util;
 
 class Setup {
 	/** @var SystemConfig */
@@ -340,7 +341,7 @@ public function install($options) {
 			'trusted_domains' => $trustedDomains,
 			'datadirectory' => $dataDir,
 			'dbtype' => $dbType,
-			'version' => implode('.', \OCP\Util::getVersion()),
+			'version' => implode('.', Util::getVersion()),
 		];
 
 		if ($this->config->getValue('overwrite.cli.url', null) === null) {
@@ -477,7 +478,7 @@ private static function findWebRoot(SystemConfig $config): string {
 			if ($webRoot === '') {
 				throw new InvalidArgumentException('overwrite.cli.url is empty');
 			}
-			if (!filter_var($webRoot, FILTER_VALIDATE_URL)) {
+			if (!Util::isValidUrl($webRoot)) {
 				throw new InvalidArgumentException('invalid value for overwrite.cli.url');
 			}
 			$webRoot = rtrim(parse_url($webRoot, PHP_URL_PATH), '/');

diff --git a/lib/public/Util.php b/lib/public/Util.php
@@ -513,4 +513,36 @@ public static function needUpgrade() {
 		}
 		return self::$needUpgradeCache;
 	}
+
+	/**
+	 * Checks whether the given URL is valid. This function should be
+	 * used instead of filter_var($url, FILTER_VALIDATE_URL) since it
+	 * handles idn urls too.
+	 *
+	 * @return bool true if the url is valid, false otherwise.
+	 * @since 23.0.0
+	 */
+	public static function isValidUrl(string $url, array $protocols = ['http', 'https']): bool {
+		// from https://github.com/symfony/validator/blob/14337bdf9e2e0b2e3385c9e90f13325f0c95a4f9/Constraints/UrlValidator.php#L24
+		// Author: Bernhard Schussek <[email protected]>
+		$pattern = '~^
+			(%s)://                                 # protocol
+			(((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+:)?((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+)@)?  # basic auth
+			(
+				([\pL\pN\pS\-\_\.])+(\.?([\pL\pN]|xn\-\-[\pL\pN-]+)+\.?)        # a domain name
+					|                                                           # or
+				\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}                              # an IP address
+					|                                                           # or
+				\[
+					(?:(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){6})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:::(?:(?:(?:[0-9a-f]{1,4})):){5})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:[0-9a-f]{1,4})))?::(?:(?:(?:[0-9a-f]{1,4})):){4})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,1}(?:(?:[0-9a-f]{1,4})))?::(?:(?:(?:[0-9a-f]{1,4})):){3})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,2}(?:(?:[0-9a-f]{1,4})))?::(?:(?:(?:[0-9a-f]{1,4})):){2})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,3}(?:(?:[0-9a-f]{1,4})))?::(?:(?:[0-9a-f]{1,4})):)(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,4}(?:(?:[0-9a-f]{1,4})))?::)(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,5}(?:(?:[0-9a-f]{1,4})))?::)(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,6}(?:(?:[0-9a-f]{1,4})))?::))))
+				\]  # an IPv6 address
+			)
+			(:[0-9]+)?                                                          # a port (optional)
+			(?:/ (?:[\pL\pN\-._\~!$&\'()*+,;=:@]|%%[0-9A-Fa-f]{2})* )*          # a path
+			(?:\? (?:[\pL\pN\-._\~!$&\'\[\]()*+,;=:@/?]|%%[0-9A-Fa-f]{2})* )?   # a query (optional)
+			(?:\# (?:[\pL\pN\-._\~!$&\'()*+,;=:@/?]|%%[0-9A-Fa-f]{2})* )?       # a fragment (optional)
+		$~ixu';
+		$pattern = sprintf($pattern, implode('|', $protocols));
+		return preg_match($pattern, $url) !== false;
+	}
 }