Changeset 670

Timestamp:

Mar 6, 2019 9:18:39 PM (5 years ago)

Author:

anonymous

Message:

Strip unsafe characters from HTTP_HOST

Location:

trunk/lib

Files:

• App.inc.php (modified) (5 diffs)
• Email.inc.php (modified) (2 diffs)
• Utilities.inc.php (modified) (2 diffs)

trunk/lib/App.inc.php

@@ -78 +78 @@
         'site_name' => null,
         'site_email' => '', // Set to no-reply@HTTP_HOST if not set here.
+        'site_hostname' => '', // The hostname of this application (if not set, use a cleaned HTTP_HOST environment variable).
         'site_url' => '', // URL to the root of the site (created during App->start()).
         'page_url' => '', // URL to the current page (created during App->start()).
@@ -478 +479 @@
          */
 
+        $safe_http_host = preg_replace('/[^a-z\d.-]/', '', getenv('HTTP_HOST'));
+        if ('' != $safe_http_host && '' == $this->getParam('site_hostname')) {
+            $this->setParam(array('site_hostname' => $safe_http_host));
+        }
+
         // Site URL will become something like http://host.name.tld (no ending slash)
         // and is used whenever a URL need be used to the current site.
         // Not available on CLI scripts obviously.
-        if (isset($_SERVER['HTTP_HOST']) && '' != $_SERVER['HTTP_HOST'] && '' == $this->getParam('site_url')) {
-            $this->setParam(array('site_url' => sprintf('%s://%s', (getenv('HTTPS') ? 'https' : 'http'), getenv('HTTP_HOST'))));
+        if ($safe_http_host && '' == $this->getParam('site_url')) {
+            $this->setParam(array('site_url' => sprintf('%s://%s', (getenv('HTTPS') ? 'https' : 'http'), $safe_http_host)));
         }
 
         // Page URL will become a permalink to the current page.
         // Also not available on CLI scripts obviously.
-        if (isset($_SERVER['HTTP_HOST']) && '' != $_SERVER['HTTP_HOST']) {
-            $this->setParam(array('page_url' => sprintf('%s://%s%s', (getenv('HTTPS') ? 'https' : 'http'), getenv('HTTP_HOST'), getenv('REQUEST_URI'))));
+        if ('' != $safe_http_host) {
+            $this->setParam(array('page_url' => sprintf('%s://%s%s', (getenv('HTTPS') ? 'https' : 'http'), $safe_http_host, getenv('REQUEST_URI'))));
         }
 
         // In case site_email isn't set, use something halfway presentable.
-        if (isset($_SERVER['HTTP_HOST']) && '' != $_SERVER['HTTP_HOST'] && '' == $this->getParam('site_email')) {
-            $this->setParam(array('site_email' => sprintf('no-reply@%s', getenv('HTTP_HOST'))));
+        if ('' != $safe_http_host && '' == $this->getParam('site_email')) {
+            $this->setParam(array('site_email' => sprintf('no-reply@%s', $safe_http_host)));
         }
 
@@ -909 +915 @@
         // EMAIL ACTION
         if (false !== $this->getParam('log_email_priority') && $priority <= $this->getParam('log_email_priority') && $send_notifications) {
-            $hostname = (isset($_SERVER['HTTP_HOST']) && '' != $_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : php_uname('n');
+            $hostname = ('' != $this->getParam('site_hostname')) ? $this->getParam('site_hostname') : php_uname('n');
             $subject = sprintf('[%s %s] %s', $hostname, $event['type'], mb_substr($event['message'], 0, 64));
             $email_msg = sprintf("A log event of type '%s' occurred on %s\n\n", $event['type'], $hostname);
@@ -923 +929 @@
         // SMS ACTION
         if (false !== $this->getParam('log_sms_priority') && $priority <= $this->getParam('log_sms_priority') && $send_notifications) {
-            $hostname = (isset($_SERVER['HTTP_HOST']) && '' != $_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : php_uname('n');
+            $hostname = ('' != $this->getParam('site_hostname')) ? $this->getParam('site_hostname') : php_uname('n');
             $subject = sprintf('[%s %s]', $hostname, $priority);
             $sms_msg = sprintf('%s [%s:%s]', mb_substr($event_short['message'], 0, 64), basename($file), $line);
@@ -1391 +1397 @@
             // If relative URL is given, prepend correct local hostname.
             $scheme = getenv('HTTPS') ? 'https' : 'http';
-            $host = getenv('HTTP_HOST');
+            $host = $this->getParam('site_hostname');
             $url = sprintf('%s://%s%s', $scheme, $host, $url);
         }

trunk/lib/Email.inc.php

@@ -363 +363 @@
 
         // Process headers.
-        $final_headers = array();
+        $final_headers_arr = array();
+        $final_headers = '';
         foreach ($headers as $key => $val) {
             // Validate key and values.
@@ -385 +386 @@
                 continue;
             }
-            $final_headers[] = sprintf('%s: %s', $key, $val);
-        }
-        $final_headers = join($this->getParam('crlf'), $final_headers);
+            $final_headers_arr[] = sprintf('%s: %s', $key, $val);
+        }
+        $final_headers = join($this->getParam('crlf'), $final_headers_arr);
 
         // This is the address where delivery problems are sent to. We must strip off everything except the local@domain part.

trunk/lib/Utilities.inc.php

@@ -1377 +1377 @@
 
     if (!isset($urls[$url])) {
-        if (!preg_match('|https?://[\w.]+/|', $url)) {
+        if (!preg_match('!^https?://!i', $url)) {
             // If we can't find a domain we assume the URL is local (i.e. "/my/url/path/" or "../img/file.jpg").
             $urls[$url] = true;
         } else {
-            $urls[$url] = preg_match('|https?://[\w.]*' . preg_quote(getenv('HTTP_HOST'), '|') . '|i', $url);
+            $urls[$url] = preg_match('!^https?://' . preg_quote(getenv('HTTP_HOST'), '!') . '!i', $url);
         }
     }
@@ -1405 +1405 @@
 function absoluteMe()
 {
-    return sprintf('%s://%s%s', (getenv('HTTPS') ? 'https' : 'http'), getenv('HTTP_HOST'), getenv('REQUEST_URI'));
+    $safe_http_host = preg_replace('/[^a-z\d.-]/', '', getenv('HTTP_HOST'));
+    return sprintf('%s://%s%s', (getenv('HTTPS') ? 'https' : 'http'), $safe_http_host, getenv('REQUEST_URI'));
 }