[BUGFIX] Add case insensitive flag to trustedHostsPattern 75/30475/7
authorDietrich Heise <d.heise@bitmotion.de>
Wed, 28 May 2014 13:59:01 +0000 (15:59 +0200)
committerWouter Wolters <typo3@wouterwolters.nl>
Sun, 14 Dec 2014 19:48:18 +0000 (20:48 +0100)
Releases: master, 6.2, 4.5
Resolves: #59186
Change-Id: Iaa973faf5b3f287320fb187c3db2d8e30a486735
Reviewed-on: http://review.typo3.org/30475
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
typo3/sysext/core/Classes/Utility/GeneralUtility.php
typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php

index d0f27f5..a3ec89e 100755 (executable)
@@ -3602,14 +3602,14 @@ Connection: close
                        $defaultPort = self::getIndpEnv('TYPO3_SSL') ? '443' : '80';
                        $parsedHostValue = parse_url('http://' . $hostHeaderValue);
                        if (isset($parsedHostValue['port'])) {
                        $defaultPort = self::getIndpEnv('TYPO3_SSL') ? '443' : '80';
                        $parsedHostValue = parse_url('http://' . $hostHeaderValue);
                        if (isset($parsedHostValue['port'])) {
-                               static::$allowHostHeaderValue = ($parsedHostValue['host'] === $_SERVER['SERVER_NAME'] && (string)$parsedHostValue['port'] === $_SERVER['SERVER_PORT']);
+                               static::$allowHostHeaderValue = (strtolower($parsedHostValue['host']) === strtolower($_SERVER['SERVER_NAME']) && (string)$parsedHostValue['port'] === $_SERVER['SERVER_PORT']);
                        } else {
                        } else {
-                               static::$allowHostHeaderValue = ($hostHeaderValue === $_SERVER['SERVER_NAME'] && $defaultPort === $_SERVER['SERVER_PORT']);
+                               static::$allowHostHeaderValue = (strtolower($hostHeaderValue) === strtolower($_SERVER['SERVER_NAME']) && $defaultPort === $_SERVER['SERVER_PORT']);
                        }
                } else {
                        // In case name based virtual hosts are not possible, we allow setting a trusted host pattern
                        // See https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/ for further details
                        }
                } else {
                        // In case name based virtual hosts are not possible, we allow setting a trusted host pattern
                        // See https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/ for further details
-                       static::$allowHostHeaderValue = (bool)preg_match('/^' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] . '$/', $hostHeaderValue);
+                       static::$allowHostHeaderValue = (bool)preg_match('/^' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] . '$/i', $hostHeaderValue);
                }
 
                return static::$allowHostHeaderValue;
                }
 
                return static::$allowHostHeaderValue;
index fc491cf..0d09160 100644 (file)
@@ -1587,6 +1587,8 @@ class GeneralUtilityTest extends \TYPO3\CMS\Core\Tests\UnitTestCase {
                        'two different hostnames without port matching 1st host' => array('helmut.is.secure', '(helmut\.is\.secure|lolli\.is\.secure)'),
                        'two different hostnames without port matching 2nd host' => array('lolli.is.secure', '(helmut\.is\.secure|lolli\.is\.secure)'),
                        'hostname with port matching' => array('lolli.did.this:42', '.*\.did\.this:42'),
                        'two different hostnames without port matching 1st host' => array('helmut.is.secure', '(helmut\.is\.secure|lolli\.is\.secure)'),
                        'two different hostnames without port matching 2nd host' => array('lolli.is.secure', '(helmut\.is\.secure|lolli\.is\.secure)'),
                        'hostname with port matching' => array('lolli.did.this:42', '.*\.did\.this:42'),
+                       'hostnames are case insensitive 1' => array('lolli.DID.this:42', '.*\.did.this:42'),
+                       'hostnames are case insensitive 2' => array('lolli.did.this:42', '.*\.DID.this:42'),
                );
        }
 
                );
        }
 
@@ -1635,6 +1637,16 @@ class GeneralUtilityTest extends \TYPO3\CMS\Core\Tests\UnitTestCase {
                                'serverPort' => '80',
                                'ssl' => 'Off',
                        ),
                                'serverPort' => '80',
                                'ssl' => 'Off',
                        ),
+                       'host value matches server name if compared case insensitive 1' => array(
+                               'httpHost' => 'secure.web.server',
+                               'serverName' => 'secure.WEB.server',
+                               'isAllowed' => TRUE,
+                       ),
+                       'host value matches server name if compared case insensitive 2' => array(
+                               'httpHost' => 'secure.WEB.server',
+                               'serverName' => 'secure.web.server',
+                               'isAllowed' => TRUE,
+                       ),
                        'host value matches server name and server port is default https' => array(
                                'httpHost' => 'secure.web.server',
                                'serverName' => 'secure.web.server',
                        'host value matches server name and server port is default https' => array(
                                'httpHost' => 'secure.web.server',
                                'serverName' => 'secure.web.server',
@@ -1648,6 +1660,18 @@ class GeneralUtilityTest extends \TYPO3\CMS\Core\Tests\UnitTestCase {
                                'isAllowed' => TRUE,
                                'serverPort' => '88',
                        ),
                                'isAllowed' => TRUE,
                                'serverPort' => '88',
                        ),
+                       'host value matches server name case insensitive 1 and server port' => array(
+                               'httpHost' => 'secure.WEB.server:88',
+                               'serverName' => 'secure.web.server',
+                               'isAllowed' => TRUE,
+                               'serverPort' => '88',
+                       ),
+                       'host value matches server name case insensitive 2 and server port' => array(
+                               'httpHost' => 'secure.web.server:88',
+                               'serverName' => 'secure.WEB.server',
+                               'isAllowed' => TRUE,
+                               'serverPort' => '88',
+                       ),
                        'host value is ipv6 but matches server name and server port' => array(
                                'httpHost' => '[::1]:81',
                                'serverName' => '[::1]',
                        'host value is ipv6 but matches server name and server port' => array(
                                'httpHost' => '[::1]:81',
                                'serverName' => '[::1]',