Kohana v3.3.5
This commit is contained in:
Deon George
@@ -2,6 +2,8 @@
|
||||
/**
|
||||
* URL helper class.
|
||||
*
|
||||
* [!!] You need to setup the list of trusted hosts in the `url.php` config file, before starting using this helper class.
|
||||
*
|
||||
* @package Kohana
|
||||
* @category Helpers
|
||||
* @author Kohana Team
|
||||
@@ -14,7 +16,9 @@ class Kohana_URL {
|
||||
* Gets the base URL to the application.
|
||||
* To specify a protocol, provide the protocol as a string or request object.
|
||||
* If a protocol is used, a complete URL will be generated using the
|
||||
* `$_SERVER['HTTP_HOST']` variable.
|
||||
* `$_SERVER['HTTP_HOST']` variable, which will be validated against RFC 952
|
||||
* and RFC 2181, as well as against the list of trusted hosts you have set
|
||||
* in the `url.php` config file.
|
||||
*
|
||||
* // Absolute URL path with no host or protocol
|
||||
* echo URL::base();
|
||||
@@ -75,7 +79,7 @@ class Kohana_URL {
|
||||
$port = ':'.$port;
|
||||
}
|
||||
|
||||
if ($domain = parse_url($base_url, PHP_URL_HOST))
|
||||
if ($host = parse_url($base_url, PHP_URL_HOST))
|
||||
{
|
||||
// Remove everything but the path from the URL
|
||||
$base_url = parse_url($base_url, PHP_URL_PATH);
|
||||
@@ -83,11 +87,32 @@ class Kohana_URL {
|
||||
else
|
||||
{
|
||||
// Attempt to use HTTP_HOST and fallback to SERVER_NAME
|
||||
$domain = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $_SERVER['SERVER_NAME'];
|
||||
$host = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $_SERVER['SERVER_NAME'];
|
||||
|
||||
// make $host lowercase
|
||||
$host = strtolower($host);
|
||||
|
||||
// check that host does not contain forbidden characters (see RFC 952 and RFC 2181)
|
||||
// use preg_replace() instead of preg_match() to prevent DoS attacks with long host names
|
||||
if ($host && '' !== preg_replace('/(?:^\[)?[a-zA-Z0-9-:\]_]+\.?/', '', $host)) {
|
||||
throw new Kohana_Exception(
|
||||
'Invalid host :host',
|
||||
array(':host' => $host)
|
||||
);
|
||||
}
|
||||
|
||||
// Validate $host, see if it matches trusted hosts
|
||||
if ( ! static::is_trusted_host($host))
|
||||
{
|
||||
throw new Kohana_Exception(
|
||||
'Untrusted host :host. If you trust :host, add it to the trusted hosts in the `url` config file.',
|
||||
array(':host' => $host)
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
// Add the protocol and domain to the base URL
|
||||
$base_url = $protocol.'://'.$domain.$port.$base_url;
|
||||
$base_url = $protocol.'://'.$host.$port.$base_url;
|
||||
}
|
||||
|
||||
return $base_url;
|
||||
@@ -210,4 +235,41 @@ class Kohana_URL {
|
||||
return trim($title, $separator);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test if given $host should be trusted.
|
||||
*
|
||||
* Tests against given $trusted_hosts
|
||||
* or looks for key `trusted_hosts` in `url` config
|
||||
*
|
||||
* @param string $host
|
||||
* @param array $trusted_hosts
|
||||
* @return boolean TRUE if $host is trustworthy
|
||||
*/
|
||||
public static function is_trusted_host($host, array $trusted_hosts = NULL)
|
||||
{
|
||||
|
||||
// If list of trusted hosts is not directly provided read from config
|
||||
if (empty($trusted_hosts))
|
||||
{
|
||||
$trusted_hosts = (array) Kohana::$config->load('url')->get('trusted_hosts');
|
||||
}
|
||||
|
||||
// loop through the $trusted_hosts array for a match
|
||||
foreach ($trusted_hosts as $trusted_host)
|
||||
{
|
||||
|
||||
// make sure we fully match the trusted hosts
|
||||
$pattern = '#^'.$trusted_host.'$#uD';
|
||||
|
||||
// return TRUE if there is match
|
||||
if (preg_match($pattern, $host)) {
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// return FALSE as nothing is matched
|
||||
return FALSE;
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user