refs #3080 - backend implementation of trusted_hosts validation; need...

refs #3080 - backend implementation of trusted_hosts validation; need front-end UI for runtime configuration


git-svn-id: http://dev.piwik.org/svn/trunk@6207 59fd770c-687e-43c8-a1e3-f5a4ff64c105

config/global.ini.php

@@ -268,6 +268,12 @@ assume_secure_protocol = 0
 ;proxy_ips[] = 199.27.128.0/21
 ;proxy_ips[] = 173.245.48.0/20
 
+; List of trusted hosts (eg domain or subdomain names) when generating absolute URLs.
+;
+; Examples:
+;trusted_hosts[] = example.com
+;trusted_hosts[] = stats.example.com
+
 ; The release server is an essential part of the Piwik infrastructure/ecosystem
 ; to provide the latest software version.
 latest_version_url = http://piwik.org/latest.zip

core/Url.php

@@ -159,6 +159,47 @@ class Piwik_Url
 		return 'http';
 	}
 
+	/*
+	 * Validate "Host" (untrusted user input)
+	 *
+	 * @param string $host         Contents of Host: header from Request
+	 * @param array  $trustedHosts An array of trusted hosts
+	 *
+	 * @return boolean True if valid; false otherwise
+	 */
+	public function isValidHost($host, $trustedHosts)
+	{
+		// Only punctuation we allow is '[', ']', ':', '.' and '-'
+		$hostLength = Piwik_Common::strlen($host);
+		if ($hostLength !== strcspn($host, '`~!@#$%^&*()_+={}\\|;"\'<>,?/ '))
+		{
+    			return false;
+		}
+
+		$untrustedHost = Piwik_Common::mb_strtolower($host);
+		$hostRegex     = Piwik_Common::mb_strtolower(str_replace('.', '\.', '/(^|.)' . implode('|', $trustedHosts) . '(:[0-9]+)?$/'));
+
+		return 0 !== preg_match($hostRegex, rtrim($untrustedHost, '.'));
+	}
+
+	/**
+	 * Get host
+	 *
+	 * @return string|false
+	 */
+	static public function getHost()
+	{
+		if (isset($_SERVER['HTTP_HOST'])
+			&& strlen($host = $_SERVER['HTTP_HOST'])
+			&& (!($trustedHosts = @Piwik_Config::getInstance()->General['trusted_hosts'])
+			|| self::isValidHost($host, $trustedHosts)))
+		{
+			return $host;
+		}
+
+		return false;
+	}
+
 	/**
 	 * If current URL is "http://example.org/dir1/dir2/index.php?param1=value1&param2=value2"
 	 * will return "example.org"
@@ -174,12 +215,8 @@ class Piwik_Url
 			$hostHeaders = array();
 		}
 
-		$default = Piwik_Common::sanitizeInputValue($default);
-		if(isset($_SERVER['HTTP_HOST'])
-			&& !empty($_SERVER['HTTP_HOST']))
-		{
-			$default = Piwik_Common::sanitizeInputValue($_SERVER['HTTP_HOST']);
-		}
+		$host = self::getHost();
+		$default = Piwik_Common::sanitizeInputValue($host ? $host : $default);
 
 		return Piwik_IP::getNonProxyIpFromHeader($default, $hostHeaders);
 	}
@@ -336,7 +373,7 @@ class Piwik_Url
 		// handle host name mangling
 		$requestUri = isset($_SERVER['SCRIPT_URI']) ? $_SERVER['SCRIPT_URI'] : '';
 		$parseRequest = @parse_url($requestUri);
-		$hosts = array(	$_SERVER['HTTP_HOST'], self::getCurrentHost() );
+		$hosts = array(	self::getHost(), self::getCurrentHost() );
 		if(isset($parseRequest['host']))
 		{
 			$hosts[] = $parseRequest['host'];

plugins/Installation/Controller.php

@@ -524,6 +524,7 @@ class Piwik_Installation_Controller extends Piwik_Controller
 
 		if(!file_exists(Piwik_Config::getLocalConfigPath()))
 		{
+			$this->addTrustedHosts();
 			$this->writeConfigFileFromSession();
 		}
 
@@ -682,6 +683,51 @@ class Piwik_Installation_Controller extends Piwik_Controller
 		}
 	}
 
+	/**
+	 * Extract host from URL
+	 *
+	 * @param string $url URL
+	 *
+	 * @return string|false
+	 */
+	protected function extractHost($url)
+	{
+		$skipLocalHosts = array('localhost', '127.0.0.1', '[::1]');
+
+		$urlParts = parse_url($url);
+		if (isset($urlParts['host']) && strlen($host = $urlParts['host']) && !in_array($host, $skipLocalHosts))
+		{
+			return $host;
+		}
+
+		return false;
+	}
+
+	/**
+	 * Add trusted hosts
+	 */
+	protected function addTrustedHosts()
+	{
+		$trustedHosts = array();
+
+		// extract host from the request header
+		if (($host = $this->extractHost('http://'.Piwik_Url::getHost())) !== false)
+		{
+			$trustedHosts[] = $host;
+		}
+
+		// extract host from first web site
+		if (($host = $this->extractHost(urldecode($this->session->site_url))) !== false)
+		{
+			$trustedHosts[] = $host;
+		}
+
+		if (count($trustedHosts))
+		{
+			$this->session->general_infos['trusted_hosts'] = $trustedHosts;
+		}
+	}
+
 	/**
 	 * Get system information
 	 */

tests/core/Url.test.php

@@ -249,4 +249,30 @@ class Test_Piwik_Url extends UnitTestCase
 
 		$this->restoreGlobals($saved);
 	}
+
+	public function testIsValidHost()
+	{
+		$testData = array(
+			// $expected, $host, $trustedHosts, $description
+			array(true, 'example.com', array('example.com'), 'Naked domain'),
+			array(true, 'example.net', array('example.com', 'example.net'), 'Multiple domains'),
+			array(true, 'piwik.example.com', array('piwik.example.com'), 'Fully qualified domain name'),
+			array(true, 'piwik.example.com', array('example.com'), 'Valid subdomain'),
+			array(false, 'example.net', array('example.com'), 'Invalid domain'),
+			array(false, '.example.com', array('piwik.example.com'), 'Invalid subdomain'),
+			array(false, 'example-com', array('example.com'), 'Regex should match . literally'),
+			array(false, 'www.attacker.com?example.com', array('example.com'), 'Spoofed host'),
+			array(false, 'example.com.attacker.com', array('example.com'), 'Spoofed subdomain'),
+			array(true, 'example.com.', array('example.com'), 'Trailing . on host is actually valid'),
+			array(true, 'www-dev.example.com', array('example.com'), 'host with dashes is valid'),
+			array(true, 'www.example.com:8080', array('example.com'), 'host:port is valid'),
+		);
+ 
+		foreach ($testData as $test)
+		{
+			list($expected, $host, $trustedHosts, $description) = $test;
+ 
+			$this->assertEqual(Piwik_Url::isValidHost($host, $trustedHosts), $expected, $description);
+		}
+	}
 }