From ebfeeb220e2fcd04d6fee000963bd47a655a0510 Mon Sep 17 00:00:00 2001
From: Rob Ostensen <rob@boxacle.net>
Date: Thu, 5 Jan 2012 21:24:02 -0600
Subject: [PATCH] add checks to prevent external binds from being created or
 updated if curl is missing, add check to setup page

---
 htdocs/setup.php       | 10 +++++++++-
 inc/caldav-BIND.php    |  6 ++++--
 inc/external-fetch.php | 14 ++++++++++++++
 3 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/htdocs/setup.php b/htdocs/setup.php
index 7ba5b176..86604aa4 100644
--- a/htdocs/setup.php
+++ b/htdocs/setup.php
@@ -107,6 +107,13 @@ function check_magic_quotes_runtime() {
   return new CheckResult( (get_magic_quotes_runtime() == 0) );
 }
 
+function check_curl() {
+  global $phpinfo, $loaded_extensions;
+
+  if (!function_exists('curl_init')) return new CheckResult(false);
+  return new CheckResult(isset($loaded_extensions['curl']));
+}
+
 $loaded_extensions = array_flip(get_loaded_extensions());
 
 
@@ -255,7 +262,8 @@ function build_dependencies_table( ) {
     translate('Suhosin "server.strip" disabled')  => 'check_suhosin_server_strip',
     translate('PHP Magic Quotes GPC off')         => 'check_magic_quotes_gpc',
     translate('PHP Magic Quotes runtime off')     => 'check_magic_quotes_runtime',
-    translate('PHP calendar extension available') => 'check_calendar'
+    translate('PHP calendar extension available') => 'check_calendar',
+    translate('PHP curl support')                 => 'check_curl'
     );
 
   if ( isset($c->authenticate_hook) && isset($c->authenticate_hook['call']) && $c->authenticate_hook['call'] == 'LDAP_check') {
diff --git a/inc/caldav-BIND.php b/inc/caldav-BIND.php
index ed104aaf..d93a7fa9 100644
--- a/inc/caldav-BIND.php
+++ b/inc/caldav-BIND.php
@@ -47,8 +47,10 @@ if ( $destination->Exists() ) {
   $request->PreconditionFailed(403,'DAV::can-overwrite',translate('A resource already exists at the destination.'));
 }
 
-if ( preg_match ( '{^https?://[A-Za-z][^/]*/.+$}', $href ) && ! stripos( $href, 'localhost' ) < 9 
-    && ! stripos( $href, '127.0.0.1' ) < 9 && ! stripos( $href, $_SERVER['SERVER_NAME'] ) < 9 && ! stripos( $href, $_SERVER['SERVER_ADDR'] ) < 9 ) {
+//  external binds shouldn't ever point back to ourselves but they should be a valid http[s] url
+if ( preg_match ( '{^https?://([^/]+)(:[0-9]\+)?/.+$}', $href, $matches ) && 
+    strcasecmp( $matches[0], 'localhost' ) !== 0 && strcasecmp( $matches[0], '127.0.0.1' ) !== 0 
+    && strcasecmp( $matches[0], $_SERVER['SERVER_NAME'] ) !== 0 && strcasecmp( $matches[0], $_SERVER['SERVER_ADDR'] ) !== 0 ) {
 	require_once('external-fetch.php');
 	$qry = new AwlQuery( );
   $qry->QDo('SELECT collection_id FROM collection WHERE dav_name = :dav_name ', array( ':dav_name' => '/.external/'. md5($href) ));
diff --git a/inc/external-fetch.php b/inc/external-fetch.php
index 8f32bee2..b5d5366d 100644
--- a/inc/external-fetch.php
+++ b/inc/external-fetch.php
@@ -13,6 +13,11 @@
 function create_external ( $path,$is_calendar,$is_addressbook )
 {
   global $request;
+  if ( ! function_exists ( "curl_init" ) ) {
+    dbg_error_log("external", "external resource cannot be fetched without curl, please install curl");
+    $request->DoResponse( 503, translate('PHP5 curl support is required for external binds') );
+    return ;
+  }
   $resourcetypes = '<DAV::collection/>';
   if ($is_calendar) $resourcetypes .= '<urn:ietf:params:xml:ns:caldav:calendar/>';
   $qry = new AwlQuery();
@@ -36,6 +41,11 @@ function create_external ( $path,$is_calendar,$is_addressbook )
 
 function fetch_external ( $bind_id, $min_age )
 {
+  if ( ! function_exists ( "curl_init" ) ) {
+    dbg_error_log("external", "external resource cannot be fetched without curl, please install curl");
+    $request->DoResponse( 503, translate('PHP5 curl support is required for external binds') );
+    return ;
+  }
   $sql = 'SELECT collection.*, collection.dav_name AS path, dav_binding.external_url AS external_url FROM dav_binding LEFT JOIN collection ON (collection.collection_id=bound_source_id) WHERE bind_id = :bind_id';
   $params = array( ':bind_id' => $bind_id );
   if ( strlen ( $min_age ) > 2 ) {
@@ -83,6 +93,10 @@ function update_external ( $request )
 	global $c;
   if ( $c->external_refresh < 1 )
     return ;
+  if ( ! function_exists ( "curl_init" ) ) {
+    dbg_error_log("external", "external resource cannot be fetched without curl, please install curl");
+    return ;
+  }
   $sql = 'SELECT bind_id from dav_binding LEFT JOIN collection ON (collection.collection_id=bound_source_id) WHERE dav_binding.dav_name = :dav_name AND collection.modified + interval :interval < NOW()';
   $qry = new AwlQuery( $sql, array ( ':dav_name' => $request->dav_name(), ':interval' => $c->external_refresh . ' minutes' ) );
 	dbg_error_log("external", "checking if external resource needs update");
-- 
2.11.4.GIT