fix: don't fetch own remote collabora url

elzody · elzody · commit f205c9b27cba · 2025-05-01T14:02:08.000-04:00
Signed-off-by: Elizabeth Danzberger &lt;lizzy7128@tutanota.de&gt;
diff --git a/lib/Service/FederationService.php b/lib/Service/FederationService.php
@@ -24,6 +24,7 @@
 use OCP\ICacheFactory;
 use OCP\IRequest;
 use OCP\IURLGenerator;
+use OCP\Security\ITrustedDomainHelper;
 use OCP\Share\IShare;
 use Psr\Container\ContainerExceptionInterface;
 use Psr\Container\NotFoundExceptionInterface;
@@ -43,6 +44,7 @@ public function __construct(
 		private AppConfig $appConfig,
 		private IRequest $request,
 		private IURLGenerator $urlGenerator,
+		private ITrustedDomainHelper $trustedDomainHelper,
 	) {
 		$this->cache = $cacheFactory->createDistributed('richdocuments_remote/');
 		try {
@@ -73,6 +75,11 @@ public function getRemoteCollaboraURL($remote) {
 		if (!$this->isTrustedRemote($remote)) {
 			throw new \Exception('Unable to determine collabora URL of remote server ' . $remote . ' - Remote is not a trusted server');
 		}
+
+		if ($this->trustedDomainHelper->isTrustedUrl($remote)) {
+			return $this->appConfig->getCollaboraUrlInternal();
+		}
+
 		$remoteCollabora = $this->cache->get('richdocuments_remote/' . $remote);
 		if ($remoteCollabora !== null) {
 			return $remoteCollabora;
@@ -91,17 +98,20 @@ public function getRemoteCollaboraURL($remote) {
 		return '';
 	}
 
-	public function isTrustedRemote($domainWithPort) {
-		if (str_starts_with($domainWithPort, 'http://') || str_starts_with($domainWithPort, 'https://')) {
-			$port = parse_url($domainWithPort, PHP_URL_PORT);
-			$domainWithPort = parse_url($domainWithPort, PHP_URL_HOST) . ($port ? ':' . $port : '');
+	public function isTrustedRemote($domain) {
+		if (str_starts_with($domain, 'http://') || str_starts_with($domain, 'https://')) {
+			$parsedDomain = parse_url($domain);
+
+			$fullDomain = $parsedDomain['host'];
+			$fullDomain = $fullDomain . ($parsedDomain['port'] ? ':' . $parsedDomain['port'] : '');
+			$fullDomain = $fullDomain . ($parsedDomain['path'] ?: '');
 		}
 
-		if ($this->appConfig->isTrustedDomainAllowedForFederation() && $this->trustedServers !== null && $this->trustedServers->isTrustedServer($domainWithPort)) {
+		if ($this->appConfig->isTrustedDomainAllowedForFederation() && $this->trustedServers !== null && $this->trustedServers->isTrustedServer($fullDomain)) {
 			return true;
 		}
 
-		$domain = $this->getDomainWithoutPort($domainWithPort);
+		$domain = $this->getDomainWithoutPort($fullDomain);
 
 		$trustedList = array_merge($this->appConfig->getGlobalScaleTrustedHosts(), [$this->request->getServerHost()]);
 		if (!is_array($trustedList)) {
@@ -112,8 +122,13 @@ public function isTrustedRemote($domainWithPort) {
 			if (!is_string($trusted)) {
 				break;
 			}
+
+			// This regular expression ensures that wildcards for trusted domains
+			// are parsed properly in order to match subdomains:
+			// *.example.com => /^[-\.a-zA-Z0-9]*\.example\.com$/i
 			$regex = '/^' . implode('[-\.a-zA-Z0-9]*', array_map(fn ($v) => preg_quote($v, '/'), explode('*', $trusted))) . '$/i';
-			if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) {
+
+			if (preg_match($regex, $domain) || preg_match($regex, $fullDomain)) {
 				return true;
 			}
 		}
