From 555ab61f2313f45d7d5d138656420ead536c5d30 Mon Sep 17 00:00:00 2001
From: Ben Thomson <git@alfreido.com>
Date: Tue, 5 Jan 2021 02:35:47 +0800
Subject: [PATCH] Add app.trustedHosts config and force host checks on password
 reset (#5423)

Add app.trustedHosts config and force host checks on backend password reset.

Related: https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d
---
 config/app.php                       | 32 +++++++++++++++++++++++++++-
 modules/backend/controllers/Auth.php | 15 +++++++++++++
 2 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/config/app.php b/config/app.php
index 56e4959ab..d0178f422 100644
--- a/config/app.php
+++ b/config/app.php
@@ -43,6 +43,36 @@ return [
 
     'url' => 'http://localhost',
 
+    /*
+    |--------------------------------------------------------------------------
+    | Trusted hosts
+    |--------------------------------------------------------------------------
+    |
+    | You may specify valid hosts for your application as an array or boolean
+    | below. This helps prevent host header poisoning attacks.
+    |
+    | Possible values:
+    |  - `true`: Trust the host specified in app.url, as well as the "www"
+    |            subdomain, if applicable.
+    |  - `false`: Disable the trusted hosts feature.
+    |  - array: Defines the domains to be trusted hosts. Each item should be
+    |           a string defining a domain, IP address, or a regex pattern.
+    |
+    | Example of array values:
+    |
+    |    'trustedHosts' => [
+    |       'example.com',           // Matches just example.com
+    |       'www.example.com',       // Matches just www.example.com
+    |       '^(.+\.)?example\.com$', // Matches example.com and all subdomains
+    |       'https://example.com',   // Matches just example.com
+    |    ],
+    |
+    | NOTE: Even when set to `false`, this functionality is explicitly enabled
+    | on the Backend password reset flow for security reasons.
+    */
+
+    'trustedHosts' => true,
+
     /*
     |--------------------------------------------------------------------------
     | Application Timezone
@@ -148,7 +178,7 @@ return [
     */
 
     'loadDiscoveredPackages' => false,
-    
+
     /*
     |--------------------------------------------------------------------------
     | Class Aliases
diff --git a/modules/backend/controllers/Auth.php b/modules/backend/controllers/Auth.php
index 7bd8d59ac..003df9955 100644
--- a/modules/backend/controllers/Auth.php
+++ b/modules/backend/controllers/Auth.php
@@ -13,6 +13,7 @@ use ApplicationException;
 use ValidationException;
 use Exception;
 use Config;
+use October\Rain\Foundation\Http\Middleware\CheckForTrustedHost;
 
 /**
  * Authentication controller
@@ -147,6 +148,20 @@ class Auth extends Controller
      */
     public function restore_onSubmit()
     {
+        // Force Trusted Host verification on password reset link generation
+        // regardless of config to protect against host header poisoning
+        $trustedHosts = Config::get('app.trustedHosts', false);
+        if ($trustedHosts === false) {
+            $hosts = CheckForTrustedHost::processTrustedHosts(true);
+
+            if (count($hosts)) {
+                Request::setTrustedHosts($hosts);
+
+                // Trigger the host validation logic
+                Request::getHost();
+            }
+        }
+
         $rules = [
             'login' => 'required|between:2,255'
         ];