Improve trusted_host_patterns code

7 years ago · b172fb505c
parent 4a5ca74724
commit b172fb505c
4 changed files with 28 additions and 21 deletions
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================

+- Add option trusted_host_patterns (#6009, #5752)
 - Support SMTPUTF8 and relax email address validation to support unicode in local part (#5120)
 - Support additional connect parameters in PostgreSQL database wrapper
 - Use UI dialogs instead of confirm() and alert() where possible
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@ -468,18 +468,21 @@ $config['session_path'] = null;
 // Setting this value to 'php' will use the default session save handler configured in PHP
 $config['session_storage'] = 'db';

-// check client IP in session authorization
-$config['ip_check'] = false;
-
 // List of trusted proxies
 // X_FORWARDED_* and X_REAL_IP headers are only accepted from these IPs
 $config['proxy_whitelist'] = array();

 // List of trusted host names
-// since $_SERVER['SERVER_NAME'] can be modified via the Host header
-// An empty list accepts any host name.
+// Attackers can modify Host header of the HTTP request causing $_SERVER['SERVER_NAME']
+// or $_SERVER['HTTP_HOST'] variables pointing to a different host, that could be used
+// to collect user names and passwords. Some server configurations prevent that, but not all.
+// An empty list accepts any host name. The list can contain host names
+// or PCRE patterns (without // delimiters, that will be added automatically).
 $config['trusted_host_patterns'] = array();

+// check client IP in session authorization
+$config['ip_check'] = false;
+
 // check referer of incoming requests
 $config['referer_check'] = false;

--- a/program/include/rcmail_sendmail.php
+++ b/program/include/rcmail_sendmail.php
@ -535,7 +535,7 @@ class rcmail_sendmail
            $http_header .= $this->received_host($_SERVER['REMOTE_ADDR']);

            // BY
-            $http_header .= $nldlm . 'by ' . $_SERVER['HTTP_HOST'];
+            $http_header .= $nldlm . 'by ' . rcube_utils::server_name('HTTP_HOST');

            // WITH
            $http_header .= $nldlm . 'with HTTP (' . $_SERVER['SERVER_PROTOCOL']
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@ -588,7 +588,7 @@ class rcube_utils
        // %t - host name without first part, e.g. %n=mail.domain.tld, %t=domain.tld
        $t = preg_replace('/^[^\.]+\./', '', $n);
        // %d - domain name without first part
-        $d = preg_replace('/^[^\.]+\./', '', self::server_name($_SERVER['HTTP_HOST']));
+        $d = preg_replace('/^[^\.]+\./', '', self::server_name('HTTP_HOST'));
        // %h - IMAP host
        $h = $_SESSION['storage_host'] ?: $host;
        // %z - IMAP domain without first part, e.g. %h=imap.domain.tld, %z=domain.tld
@ -607,34 +607,37 @@ class rcube_utils
    }

    /**
-     * Returns the given host name after checking it against trusted hostname
-     * patterns, otherwise returns localhost
+     * Returns the host name after checking it against trusted hostname
+     * patterns, otherwise returns localhost (and logs a warning)
     *
-     * @param string $name Hostname to check; use SERVER_NAME if none is given.
-     * @param boolean $strip_port Strip PORT from the host name; default is true.
+     * @param string  $type       The $_SERVER key, e.g. 'HTTP_HOST', Default: 'SERVER_NAME'.
+     * @param boolean $strip_port Strip port from the host name
     *
     * @return string Server name
     */
-    public static function server_name($name = null, $strip_port = true)
+    public static function server_name($type = null, $strip_port = true)
    {
-        if (!is_string($name)) {
-            $name = $_SERVER['SERVER_NAME'];
-        }
+        $name     = $_SERVER[$type ?: 'SERVER_NAME'];
+        $rcube    = rcube::get_instance();
+        $patterns = (array) $rcube->config->get('trusted_host_patterns');

        if ($strip_port) {
            $name = preg_replace('/:\d+$/', '', $name);
        }

-        $trusted_host_patterns = rcube::get_instance()->config->get('trusted_host_patterns', array());
-
-        if (empty($trusted_host_patterns) || in_array($name, $trusted_host_patterns)) {
+        if (empty($patterns) || in_array_nocase($name, $patterns)) {
            return $name;
        }

-        foreach ($trusted_host_patterns as $pattern) {
-            if (preg_match("/$pattern/", $name)) {
-                return $name;
+        if (!empty($name)) {
+            foreach ($patterns as $pattern) {
+                if (preg_match("/$pattern/", $name)) {
+                    return $name;
+                }
            }
+
+            $rcube->raise_error(array('file' => __FILE__, 'line' => __LINE__,
+                'message' => "Specified host is not trusted. Using 'localhost'."), true, false);
        }

        return 'localhost';