Skip to content

Commit

Permalink
Allow default http/https ports in GLPI_SERVERSIDE_URL_ALLOWLIST
Browse files Browse the repository at this point in the history
  • Loading branch information
@cedric-anne
cedric-anne committed Jan 29, 2025
1 parent 9a63eb6 commit 22176f0
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 8 deletions.
18 changes: 17 additions & 1 deletion inc/based_config.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,23 @@
'GLPI_SERVERSIDE_URL_ALLOWLIST' => [
// allowlist (regex format) of URL that can be fetched from server side (used for RSS feeds and external calendars, among others)
// URL will be considered as safe as long as it matches at least one entry of the allowlist
'/^(https?|feed):\/\/[^@:]+(\/.*)?$/', // only accept http/https/feed protocols, and reject presence of @ (username) and : (protocol) in host part of URL

// `http://` URLs
// - without presence of @ (username) and : (protocol) in host part of URL
// - with optional `:80` default port
// - with optional path
'#^http://[^@:]+(:80)?(/.*)?$#',

// `https://` URLs
// - without presence of @ (username) and : (protocol) in host part of URL
// - with optional `:443` default port
// - with optional path
'#^https://[^@:]+(:443)?(/.*)?$#',

// `feed://` URLs
// - without presence of @ (username) and : (protocol) in host part of URL
// - with optional path
'#^feed://[^@:]+(/.*)?$#',
],

// Constants related to GLPI Project / GLPI Network external services
Expand Down
9 changes: 7 additions & 2 deletions phpunit/bootstrap.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,13 @@
define(
'GLPI_SERVERSIDE_URL_ALLOWLIST',
[
'/^(https?|feed):\/\/[^@:]+(\/.*)?$/', // default allowlist entry
'/^file:\/\/.*\.ics$/', // calendar mockups
// default allowlist entries
'#^http://[^@:]+(:80)?(/.*)?$#',
'#^https://[^@:]+(:443)?(/.*)?$#',
'#^feed://[^@:]+(/.*)?$#',

// calendar mockups
'/^file:\/\/.*\.ics$/',
]
);

Expand Down
18 changes: 15 additions & 3 deletions phpunit/functional/ToolboxTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1633,13 +1633,17 @@ public static function safeUrlProvider(): iterable
'expected' => false,
];

// http, https and feed URLs are accepted, unless they contains a user or port information
foreach (['http', 'https', 'feed'] as $scheme) {
foreach (['', '/', '/path/to/feed.php'] as $path) {
// http, https and feed URLs are accepted, unless they contains a user or non default port information
foreach (['http' => ':80', 'https' => ':443', 'feed' => ''] as $scheme => $default_port) {
foreach (['', '/', '/path/to/resource.php'] as $path) {
yield [
'url' => sprintf('%s://localhost%s', $scheme, $path),
'expected' => true,
];
yield [
'url' => sprintf('%s://localhost%s%s', $scheme, $default_port, $path),
'expected' => true,
];
yield [
'url' => sprintf('%s://localhost:8080%s', $scheme, $path),
'expected' => false,
Expand All @@ -1648,10 +1652,18 @@ public static function safeUrlProvider(): iterable
'url' => sprintf('%s://test@localhost%s', $scheme, $path),
'expected' => false,
];
yield [
'url' => sprintf('%s://test@localhost%s%s', $scheme, $default_port, $path),
'expected' => false,
];
yield [
'url' => sprintf('%s://test:pass@localhost%s', $scheme, $path),
'expected' => false,
];
yield [
'url' => sprintf('%s://test:pass@localhost%s%s', $scheme, $default_port, $path),
'expected' => false,
];
}
}

Expand Down
9 changes: 7 additions & 2 deletions tests/bootstrap.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,13 @@
define(
'GLPI_SERVERSIDE_URL_ALLOWLIST',
[
'/^(https?|feed):\/\/[^@:]+(\/.*)?$/', // default allowlist entry
'/^file:\/\/.*\.ics$/', // calendar mockups
// default allowlist entries
'#^http://[^@:]+(:80)?(/.*)?$#',
'#^https://[^@:]+(:443)?(/.*)?$#',
'#^feed://[^@:]+(/.*)?$#',

// calendar mockups
'/^file:\/\/.*\.ics$/',
]
);

Expand Down

0 comments on commit 22176f0

Please sign in to comment.