TPS/birzha
TPS
/
birzha
5
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add app.trustedHosts config and force host checks on password reset (#5423) 

Add app.trustedHosts config and force host checks on backend password reset.

Related: f29865ae3d
This commit is contained in:
Ben Thomson 2021-01-05 02:35:47 +08:00 committed by GitHub
parent 786d59eff8
commit 555ab61f23
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
config/app.php
View File

@ -43,6 +43,36 @@ return [
'url' => 'http://localhost', 'url' => 'http://localhost',
/*
|--------------------------------------------------------------------------
| Trusted hosts
|--------------------------------------------------------------------------
|
| You may specify valid hosts for your application as an array or boolean
| below. This helps prevent host header poisoning attacks.
|
| Possible values:
| - `true`: Trust the host specified in app.url, as well as the "www"
| subdomain, if applicable.
| - `false`: Disable the trusted hosts feature.
| - array: Defines the domains to be trusted hosts. Each item should be
| a string defining a domain, IP address, or a regex pattern.
|
| Example of array values:
|
| 'trustedHosts' => [
| 'example.com', // Matches just example.com
| 'www.example.com', // Matches just www.example.com
| '^(.+\.)?example\.com$', // Matches example.com and all subdomains
| 'https://example.com', // Matches just example.com
| ],
|
| NOTE: Even when set to `false`, this functionality is explicitly enabled
| on the Backend password reset flow for security reasons.
*/
'trustedHosts' => true,
/* /*
|-------------------------------------------------------------------------- |--------------------------------------------------------------------------
| Application Timezone | Application Timezone
@ -148,7 +178,7 @@ return [
*/ */
'loadDiscoveredPackages' => false, 'loadDiscoveredPackages' => false,
/* /*
|-------------------------------------------------------------------------- |--------------------------------------------------------------------------
| Class Aliases | Class Aliases

15
modules/backend/controllers/Auth.php
View File

@ -13,6 +13,7 @@ use ApplicationException;
use ValidationException; use ValidationException;
use Exception; use Exception;
use Config; use Config;
use October\Rain\Foundation\Http\Middleware\CheckForTrustedHost;
/** /**
* Authentication controller * Authentication controller
@ -147,6 +148,20 @@ class Auth extends Controller
*/ */
public function restore_onSubmit() public function restore_onSubmit()
{ {
// Force Trusted Host verification on password reset link generation
// regardless of config to protect against host header poisoning
$trustedHosts = Config::get('app.trustedHosts', false);
if ($trustedHosts === false) {
$hosts = CheckForTrustedHost::processTrustedHosts(true);
if (count($hosts)) {
Request::setTrustedHosts($hosts);
// Trigger the host validation logic
Request::getHost();
}
}
$rules = [ $rules = [
'login' => 'required|between:2,255' 'login' => 'required|between:2,255'
]; ];