backport webcal access rules from DAV app implementation

Signed-off-by: Georg Ehrke <developer@georgehrke.com>

appinfo/application.php

@@ -58,8 +58,9 @@ class Application extends App {
 			$client = $c->getServer()->getHTTPClientService();
 			$l10n = $c->getServer()->getL10N($c->query('AppName'));
 			$logger = $c->getServer()->getLogger();
+			$config = $c->getServer()->getConfig();
 
-			return new Controller\ProxyController($c->getAppName(), $request, $client, $l10n, $logger);
+			return new Controller\ProxyController($c->getAppName(), $request, $client, $l10n, $logger, $config);
 		});
 
 		$container->registerService('SettingsController', function(IAppContainer $c) {

controller/proxycontroller.php

@@ -30,6 +30,7 @@ use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Http\DataDisplayResponse;
 use OCP\AppFramework\Controller;
 use OCP\Http\Client\IClientService;
+use OCP\IConfig;
 use OCP\IL10N;
 use OCP\ILogger;
 use OCP\IRequest;
@@ -52,20 +53,28 @@ class ProxyController extends Controller {
 	 */
 	protected $logger;
 
+	/**
+	 * @var IConfig
+	 */
+	protected $config;
+
 	/**
 	 * @param string $appName
 	 * @param IRequest $request an instance of the request
 	 * @param IClientService $client
 	 * @param IL10N $l10n
 	 * @param ILogger $logger
+	 * @param IConfig $config
 	 */
 	public function __construct($appName, IRequest $request,
 								IClientService $client,
-								IL10N $l10n, ILogger $logger) {
+								IL10N $l10n, ILogger $logger,
+								IConfig $config) {
 		parent::__construct($appName, $request);
 		$this->client = $client;
 		$this->l10n = $l10n;
 		$this->logger = $logger;
+		$this->config = $config;
 	}
 
 	/**
@@ -83,6 +92,27 @@ class ProxyController extends Controller {
 			$max_redirects = 5;
 			$done = false;
 
+			$allowLocalAccess = $this->config->getAppValue('dav', 'webcalAllowLocalAccess', 'no');
+			if ($allowLocalAccess !== 'yes') {
+				$host = parse_url($url, PHP_URL_HOST);
+				// remove brackets from IPv6 addresses
+				if (strpos($host, '[') === 0 && substr($host, -1) === ']') {
+					$host = substr($host, 1, -1);
+				}
+
+				if ($host === 'localhost' || substr($host, -6) === '.local' || substr($host, -10) === '.localhost' ||
+					preg_match('/(^127\.)|(^192\.168\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^::1$)|(^[fF][cCdD])/', $host)) {
+					$this->logger->warning("Subscription $url was not refreshed because it violates local access rules");
+
+					$response = new JSONResponse([
+						'message' => $this->l10n->t('URL violates local access rules'),
+						'proxy_code' => 403
+					], Http::STATUS_UNPROCESSABLE_ENTITY);
+
+					return $response;
+				}
+			}
+
 			// try to find a chain of 301s
 			do {
 				$clientResponse = $client->get($queryUrl, [

tests/php/controller/proxycontrollerTest.php

@@ -34,6 +34,7 @@ class ProxyControllerTest extends TestCase {
 	private $client;
 	private $l10n;
 	private $logger;
+	private $config;
 
 	private $newClient;
 	private $response0;
@@ -61,6 +62,9 @@ class ProxyControllerTest extends TestCase {
 		$this->logger = $this->getMockBuilder('\OCP\ILogger')
 			->disableOriginalConstructor()
 			->getMock();
+		$this->config = $this->getMockBuilder('\OCP\IConfig')
+			->disableOriginalConstructor()
+			->getMock();
 
 		$this->newClient = $this->getMockBuilder('\OCP\Http\Client\IClient')
 			->disableOriginalConstructor()
@@ -100,8 +104,12 @@ class ProxyControllerTest extends TestCase {
 				->getMock();
 		}
 
+		$this->config->method('getAppValue')
+			->with('dav', 'webcalAllowLocalAccess', 'no')
+			->willReturn('no');
+
 		$this->controller = new ProxyController($this->appName, $this->request,
-			$this->client, $this->l10n, $this->logger);
+			$this->client, $this->l10n, $this->logger, $this->config);
 	}
 
 	public function testProxy() {