Check against trusted_host_patterns in rcube_utils::parse_host()

2026-03-10 10:06:52 +01:00 · 2017-11-07 14:39:57 +00:00
parent 50a9c8f777
commit 5282cbaff9
2 changed files with 21 additions and 12 deletions
--- a/program/lib/Roundcube/rcube_smtp.php
+++ b/program/lib/Roundcube/rcube_smtp.php
@@ -102,8 +102,7 @@ class rcube_smtp
            $helo_host = $CONFIG['smtp_helo_host'];
        }
        else if (!empty($_SERVER['SERVER_NAME'])) {
-            $server_name = rcube_utils::server_name();
-            $helo_host = preg_replace('/:\d+$/', '', $server_name);
+            $helo_host = rcube_utils::server_name();
        }
        else {
            $helo_host = 'localhost';
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -581,11 +581,11 @@ class rcube_utils
        }

        // %n - host
-        $n = preg_replace('/:\d+$/', '', $_SERVER['SERVER_NAME']);
+        $n = self::server_name();
        // %t - host name without first part, e.g. %n=mail.domain.tld, %t=domain.tld
        $t = preg_replace('/^[^\.]+\./', '', $n);
        // %d - domain name without first part
-        $d = preg_replace('/^[^\.]+\./', '', $_SERVER['HTTP_HOST']);
+        $d = preg_replace('/^[^\.]+\./', '', self::server_name($_SERVER['HTTP_HOST']));
        // %h - IMAP host
        $h = $_SESSION['storage_host'] ?: $host;
        // %z - IMAP domain without first part, e.g. %h=imap.domain.tld, %z=domain.tld
@@ -605,23 +605,33 @@ class rcube_utils
    }

    /**
-     * Returns the server name after checking it against trusted hostname patterns,
-     * otherwise returns localhost
+     * Returns the given host name after checking it against trusted hostname
+     * patterns, otherwise returns localhost
+     *
+     * @param string $name Hostname to check; use SERVER_NAME if none is given.
+     * @param boolean $strip_port Strip PORT from the host name; default is true.
     *
     * @return string Server name
     */
-    public static function server_name()
+    public static function server_name($name = null, $strip_port = true)
    {
-        $server_name = $_SERVER['SERVER_NAME'];
+        if (!is_string($name)) {
+            $name = $_SERVER['SERVER_NAME'];
+        }
+
+        if ($strip_port) {
+            $name = preg_replace('/:\d+$/', '', $name);
+        }
+
        $trusted_host_patterns = rcube::get_instance()->config->get('trusted_host_patterns', array());

-        if (empty($trusted_host_patterns) || in_array($server_name, $trusted_host_patterns)) {
-            return $server_name;
+        if (empty($trusted_host_patterns) || in_array($name, $trusted_host_patterns)) {
+            return $name;
        }

        foreach ($trusted_host_patterns as $pattern) {
-            if (preg_match("/$pattern/", $server_name)) {
-                return $server_name;
+            if (preg_match("/$pattern/", $name)) {
+                return $name;
            }
        }