Skip to content

Commit b8d255a

Browse files
Merge pull request #61356 from nextcloud/backport/61310/stable33
[stable33] fix(ocm-add-share): adjust domain validation
2 parents c805937 + 2ee814f commit b8d255a

1 file changed

Lines changed: 22 additions & 0 deletions

File tree

apps/cloud_federation_api/lib/Controller/RequestHandlerController.php

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -190,6 +190,28 @@ public function addShare($shareWith, $name, $description, $providerId, $owner, $
190190
$sharedByDisplayName = $ownerDisplayName;
191191
}
192192

193+
$ownerDomain = str_contains($owner, '@') ? substr(strrchr($owner, '@'), 1) : null;
194+
$sharedByDomain = str_contains($sharedBy, '@') ? substr(strrchr($sharedBy, '@'), 1) : null;
195+
$domainsToCheck = array_unique(array_filter([$ownerDomain, $sharedByDomain]));
196+
if (count($domainsToCheck) !== 0) {
197+
$spoofChecker = new \Spoofchecker();
198+
foreach ($domainsToCheck as $domain) {
199+
// detect suspicious chars (e.g. "pаypаl" spelled with Cyrillic "а" characters)
200+
// see https://www.php.net/manual/en/spoofchecker.issuspicious.php
201+
if ($spoofChecker->isSuspicious($domain)) {
202+
$response = new JSONResponse(
203+
[
204+
'message' => 'Suspicious domain detected on owner or sharedBy field',
205+
'validationErrors' => [],
206+
],
207+
Http::STATUS_BAD_REQUEST
208+
);
209+
$response->throttle();
210+
return $response;
211+
}
212+
}
213+
}
214+
193215
try {
194216
$provider = $this->cloudFederationProviderManager->getCloudFederationProvider($resourceType);
195217
$share = $this->factory->getCloudFederationShare($shareWith, $name, $description, $providerId, $owner, $ownerDisplayName, $sharedBy, $sharedByDisplayName, '', $shareType, $resourceType);

0 commit comments

Comments
 (0)