Permalink
Browse files

Merge branch '1.1'

  • Loading branch information...
mariuswilms committed May 25, 2017
2 parents b437f84 + 714c112 commit ba5ea22f13cf8e4287626dc70f61fb5aa090c96e
Showing with 23 additions and 1 deletion.
  1. +23 −1 app/config/bootstrap/action.php
@@ -18,10 +18,11 @@
* @see lithium\aop\Filters
*/
+use Exception;
use lithium\action\Dispatcher;
use lithium\aop\Filters;
-use lithium\core\Libraries;
use lithium\core\Environment;
+use lithium\core\Libraries;
/**
* This filter intercepts the `run()` method of the `Dispatcher`, and first passes the `'request'`
@@ -53,4 +54,25 @@
return $next($params);
});
+/**
+ * This filter protects against HTTP host header attacks, by matching the `Host` header
+ * sent by the client against a known list of good hostnames. You'll need to modify
+ * the list of hostnames inside the filter before using it.
+ *
+ * @link http://li3.me/docs/book/manual/1.x/quality-code/security
+ * @link http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
+ */
+// Filters::apply(Dispatcher::class, 'run', function($params, $next) {
+// $whitelist = [
+// 'example.org',
+// 'www.example.org'
+// ];
+// foreach ($whitelist as $host) {
+// if ($params['request']->host === $host) {
+// return $next($params);
+// }
+// }
+// throw new Exception('Suspicious Operation');
+// });
+
?>

0 comments on commit ba5ea22

Please sign in to comment.