chore: always execute parse_url in preventLocalAddress

This change should make it easier to spot wrong uses of the HTTP client on development setups where allow_local_remote_servers is usually true. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2026-06-11 09:42:09 -04:00 · 2024-09-30 13:05:19 +02:00 · 2024-09-30 13:05:19 +02:00 · 6be00432b7
commit 6be00432b7
parent 870816466f
2 changed files with 12 additions and 5 deletions
--- a/lib/private/Http/Client/Client.php
+++ b/lib/private/Http/Client/Client.php
@ -158,14 +158,15 @@ class Client implements IClient {
 	}

 	protected function preventLocalAddress(string $uri, array $options): void {
-		if ($this->isLocalAddressAllowed($options)) {
-			return;
-		}
-
 		$host = parse_url($uri, PHP_URL_HOST);
 		if ($host === false || $host === null) {
 			throw new LocalServerException('Could not detect any host');
 		}
+
+		if ($this->isLocalAddressAllowed($options)) {
+			return;
+		}
+
 		if (!$this->remoteHostValidator->isValid($host)) {
 			throw new LocalServerException('Host "' . $host . '" violates local access rules');
 		}
--- a/tests/lib/Http/Client/ClientTest.php
+++ b/tests/lib/Http/Client/ClientTest.php
@ -130,6 +130,13 @@ class ClientTest extends \Test\TestCase {
 		], self::invokePrivate($this->client, 'getProxyUri'));
 	}

+	public function testPreventLocalAddressThrowOnInvalidUri(): void {
+		$this->expectException(LocalServerException::class);
+		$this->expectExceptionMessage('Could not detect any host');
+
+		self::invokePrivate($this->client, 'preventLocalAddress', ['!@#$', []]);
+	}
+
 	public function dataPreventLocalAddress():array {
 		return [
 			['https://localhost/foo.bar'],
@ -146,7 +153,6 @@ class ClientTest extends \Test\TestCase {
 			['https://10.0.0.1'],
 			['https://another-host.local'],
 			['https://service.localhost'],
-			['!@#$', true], // test invalid url
 			['https://normal.host.com'],
 			['https://com.one-.nextcloud-one.com'],
 		];