fix: also check path of trusted remote

Signed-off-by: Elizabeth Danzberger <lizzy7128@tutanota.de>

Author: elzody

lib/Service/FederationService.php

@@ -91,17 +91,20 @@ public function getRemoteCollaboraURL($remote) {
 		return '';
 	}
 
-	public function isTrustedRemote($domainWithPort) {
-		if (str_starts_with($domainWithPort, 'http://') || str_starts_with($domainWithPort, 'https://')) {
-			$port = parse_url($domainWithPort, PHP_URL_PORT);
-			$domainWithPort = parse_url($domainWithPort, PHP_URL_HOST) . ($port ? ':' . $port : '');
+	public function isTrustedRemote($domain) {
+		if (str_starts_with($domain, 'http://') || str_starts_with($domain, 'https://')) {
+			$parsedDomain = parse_url($domain);
+
+			$fullDomain = $parsedDomain['host'];
+			$fullDomain = $fullDomain . ($parsedDomain['port'] ? ':' . $parsedDomain['port'] : '');
+			$fullDomain = $fullDomain . ($parsedDomain['path'] ?: '');
 		}
 
-		if ($this->appConfig->isTrustedDomainAllowedForFederation() && $this->trustedServers !== null && $this->trustedServers->isTrustedServer($domainWithPort)) {
+		if ($this->appConfig->isTrustedDomainAllowedForFederation() && $this->trustedServers !== null && $this->trustedServers->isTrustedServer($fullDomain)) {
 			return true;
 		}
 
-		$domain = $this->getDomainWithoutPort($domainWithPort);
+		$domain = $this->getDomainWithoutPort($fullDomain);
 
 		$trustedList = array_merge($this->appConfig->getGlobalScaleTrustedHosts(), [$this->request->getServerHost()]);
 		if (!is_array($trustedList)) {
@@ -113,7 +116,7 @@ public function isTrustedRemote($domainWithPort) {
 				break;
 			}
 			$regex = '/^' . implode('[-\.a-zA-Z0-9]*', array_map(fn ($v) => preg_quote($v, '/'), explode('*', $trusted))) . '$/i';
-			if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) {
+			if (preg_match($regex, $domain) || preg_match($regex, $fullDomain)) {
 				return true;
 			}
 		}