Add app.trustedHosts config and force host checks on password reset (#5423)

Add app.trustedHosts config and force host checks on backend password reset. Related: f29865ae3d
2021-01-05 02:35:47 +08:00 · 2021-01-05 02:35:47 +08:00 · 555ab61f23
parent 786d59eff8
commit 555ab61f23
2 changed files with 46 additions and 1 deletions
--- a/config/app.php
+++ b/config/app.php
@ -43,6 +43,36 @@ return [

    'url' => 'http://localhost',

+    /*
+    |--------------------------------------------------------------------------
+    | Trusted hosts
+    |--------------------------------------------------------------------------
+    |
+    | You may specify valid hosts for your application as an array or boolean
+    | below. This helps prevent host header poisoning attacks.
+    |
+    | Possible values:
+    |  - `true`: Trust the host specified in app.url, as well as the "www"
+    |            subdomain, if applicable.
+    |  - `false`: Disable the trusted hosts feature.
+    |  - array: Defines the domains to be trusted hosts. Each item should be
+    |           a string defining a domain, IP address, or a regex pattern.
+    |
+    | Example of array values:
+    |
+    |    'trustedHosts' => [
+    |       'example.com',           // Matches just example.com
+    |       'www.example.com',       // Matches just www.example.com
+    |       '^(.+\.)?example\.com$', // Matches example.com and all subdomains
+    |       'https://example.com',   // Matches just example.com
+    |    ],
+    |
+    | NOTE: Even when set to `false`, this functionality is explicitly enabled
+    | on the Backend password reset flow for security reasons.
+    */
+
+    'trustedHosts' => true,
+
    /*
    |--------------------------------------------------------------------------
    | Application Timezone
@ -148,7 +178,7 @@ return [
    */

    'loadDiscoveredPackages' => false,
-    
+
    /*
    |--------------------------------------------------------------------------
    | Class Aliases
--- a/modules/backend/controllers/Auth.php
+++ b/modules/backend/controllers/Auth.php
@ -13,6 +13,7 @@ use ApplicationException;
 use ValidationException;
 use Exception;
 use Config;
+use October\Rain\Foundation\Http\Middleware\CheckForTrustedHost;

 /**
 * Authentication controller
@ -147,6 +148,20 @@ class Auth extends Controller
     */
    public function restore_onSubmit()
    {
+        // Force Trusted Host verification on password reset link generation
+        // regardless of config to protect against host header poisoning
+        $trustedHosts = Config::get('app.trustedHosts', false);
+        if ($trustedHosts === false) {
+            $hosts = CheckForTrustedHost::processTrustedHosts(true);
+
+            if (count($hosts)) {
+                Request::setTrustedHosts($hosts);
+
+                // Trigger the host validation logic
+                Request::getHost();
+            }
+        }
+
        $rules = [
            'login' => 'required|between:2,255'
        ];