[Web] Add validation for server_name against allow list

2025-12-13 18:06:01 +00:00 · 2025-01-30 11:47:55 +01:00
parent 0ad327bbe5
commit a2e87e0880
2 changed files with 20 additions and 3 deletions
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2275,9 +2275,25 @@ function cors($action, $data = null) {
    break;
  }
 }
-function getBaseURL() {
+function getBaseURL($protocol = null) {
-  $protocol = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http';
+  // Get current server name
-  $host = $_SERVER['SERVER_NAME'];
+  $host = strtolower($_SERVER['SERVER_NAME']);
  // craft allowed server name list
  $mailcow_hostname = strtolower(getenv("MAILCOW_HOSTNAME"));
  $additional_server_names = strtolower(getenv("ADDITIONAL_SERVER_NAMES")) ?: "";
  $additional_server_names = preg_replace('/\s+/', '', $additional_server_names);
  $allowed_server_names = $additional_server_names !== "" ? explode(',', $additional_server_names) : array();
  array_push($allowed_server_names, $mailcow_hostname);
  // Fallback to MAILCOW HOSTNAME if current server name is not in allowed list
  if (!in_array($host, $allowed_server_names)) {
    $host = $mailcow_hostname;
  }
  if (!isset($protocol)) {
    $protocol = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http';
  }
  $base_url = $protocol . '://' . $host;
  return $base_url;
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -174,6 +174,7 @@ services:
        - DEMO_MODE=${DEMO_MODE:-n}
        - WEBAUTHN_ONLY_TRUSTED_VENDORS=${WEBAUTHN_ONLY_TRUSTED_VENDORS:-n}
        - CLUSTERMODE=${CLUSTERMODE:-}
        - ADDITIONAL_SERVER_NAMES=${ADDITIONAL_SERVER_NAMES:-}
      restart: always
      networks:
        mailcow-network: