diff options
author | Vincent Petry <pvince81@owncloud.com> | 2014-03-05 18:02:05 +0400 |
---|---|---|
committer | Vincent Petry <pvince81@owncloud.com> | 2014-03-06 14:58:51 +0400 |
commit | 47c4971e10f60426330421e709387a4b857e0881 (patch) | |
tree | 4e48e1ac426c9d3870df2d205bcd39da3298cf49 /lib/base.php | |
parent | b66b10b806e24b46cff608213ce849b5ffddd696 (diff) |
Show warning page when accessing server from an untrusted domain
Added early check for the requested domain host and show a warning
page if the domain is not trusted.
Backport of 9b6b02a from stable6
Diffstat (limited to 'lib/base.php')
-rw-r--r-- | lib/base.php | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/lib/base.php b/lib/base.php index e8f67db8881..3c3c13c8c47 100644 --- a/lib/base.php +++ b/lib/base.php @@ -612,6 +612,22 @@ class OC { exit(); } + $host = OC_Request::insecureServerHost(); + // if the host passed in headers isn't trusted + if (!OC::$CLI + // overwritehost is always trusted + && OC_Request::getOverwriteHost() === null + && !OC_Request::isTrustedDomain($host)) { + + header('HTTP/1.1 400 Bad Request'); + header('Status: 400 Bad Request'); + OC_Template::printErrorPage( + 'You are accessing the server from an untrusted domain.', + 'Please contact your administrator' + ); + return; + } + $request = OC_Request::getPathInfo(); if(substr($request, -3) !== '.js') {// we need these files during the upgrade self::checkMaintenanceMode(); |