Merge branch 'trusted-host-patterns' of https://github.com/dsoares/ro…

…undcubemail into dsoares-trusted-host-patterns
roundcube · Jan 1, 2018 · 4a5ca74 · 4a5ca74
2 parents a8d5547 + 5282cba
commit 4a5ca74
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 3 deletions.
diff --git a/config/defaults.inc.php b/config/defaults.inc.php
@@ -475,6 +475,11 @@
 // X_FORWARDED_* and X_REAL_IP headers are only accepted from these IPs
 $config['proxy_whitelist'] = array();
 
+// List of trusted host names
+// since $_SERVER['SERVER_NAME'] can be modified via the Host header
+// An empty list accepts any host name.
+$config['trusted_host_patterns'] = array();
+
 // check referer of incoming requests
 $config['referer_check'] = false;
 

diff --git a/program/lib/Roundcube/rcube_smtp.php b/program/lib/Roundcube/rcube_smtp.php
@@ -102,7 +102,7 @@ public function connect($host = null, $port = null, $user = null, $pass = null)
             $helo_host = $CONFIG['smtp_helo_host'];
         }
         else if (!empty($_SERVER['SERVER_NAME'])) {
-            $helo_host = preg_replace('/:\d+$/', '', $_SERVER['SERVER_NAME']);
+            $helo_host = rcube_utils::server_name();
         }
         else {
             $helo_host = 'localhost';

diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
@@ -584,11 +584,11 @@ public static function parse_host($name, $host = '')
         }
 
         // %n - host
-        $n = preg_replace('/:\d+$/', '', $_SERVER['SERVER_NAME']);
+        $n = self::server_name();
         // %t - host name without first part, e.g. %n=mail.domain.tld, %t=domain.tld
         $t = preg_replace('/^[^\.]+\./', '', $n);
         // %d - domain name without first part
-        $d = preg_replace('/^[^\.]+\./', '', $_SERVER['HTTP_HOST']);
+        $d = preg_replace('/^[^\.]+\./', '', self::server_name($_SERVER['HTTP_HOST']));
         // %h - IMAP host
         $h = $_SESSION['storage_host'] ?: $host;
         // %z - IMAP domain without first part, e.g. %h=imap.domain.tld, %z=domain.tld
@@ -606,6 +606,40 @@ public static function parse_host($name, $host = '')
         return str_replace(array('%n', '%t', '%d', '%h', '%z', '%s'), array($n, $t, $d, $h, $z, $s[2]), $name);
     }
 
+    /**
+     * Returns the given host name after checking it against trusted hostname
+     * patterns, otherwise returns localhost
+     *
+     * @param string $name Hostname to check; use SERVER_NAME if none is given.
+     * @param boolean $strip_port Strip PORT from the host name; default is true.
+     *
+     * @return string Server name
+     */
+    public static function server_name($name = null, $strip_port = true)
+    {
+        if (!is_string($name)) {
+            $name = $_SERVER['SERVER_NAME'];
+        }
+
+        if ($strip_port) {
+            $name = preg_replace('/:\d+$/', '', $name);
+        }
+
+        $trusted_host_patterns = rcube::get_instance()->config->get('trusted_host_patterns', array());
+
+        if (empty($trusted_host_patterns) || in_array($name, $trusted_host_patterns)) {
+            return $name;
+        }
+
+        foreach ($trusted_host_patterns as $pattern) {
+            if (preg_match("/$pattern/", $name)) {
+                return $name;
+            }
+        }
+
+        return 'localhost';
+    }
+
     /**
      * Returns remote IP address and forwarded addresses if found
      *