Problem when specifying trusted_hosts

[teohhanhui]

1. Untrusted Host "localhost" when fixing the Request for filters.
2. Untrusted Host "schema.org", etc. (from external IRI) when calling IriConverter::getItemFromIri.

[dunglas]

I'm not sure to understand what's going on. Do you have a more detailed example?

[teohhanhui]

Try setting trusted_hosts in your app/config.yml. You should get the same problem.

[bwegrzyn]

Running in to this issue as well. It seems to be because I have trusted hosts specified that do not include "localhost". When retrieving an item by IRI (/countries/0368c044-1bc9-4976-8f8e-299b09d11626), ApiPlatform\Core\Bridge\Symfony\Routing\Router creates a new RequestContext that does not copy over the host, which results in Request->getHost() throwing SuspiciousOperationException because a blank/localhost host is not part of the trusted hosts.

@dunglas Can we get this fixed? It makes it impossible to use the this library while specifying trusted hosts in Symfony. IMO, this should be classified as a security issue as the only way to get this working is to not specify any trusted hosts or add localhost to the list.

https://symfony.com/doc/current/reference/configuration/framework.html#trusted-hosts
https://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released#cve-2013-4752-request-gethost-poisoning

[bwegrzyn]

There was this pull request #1620 which sets the hosts based on the previous request context, but it happens too late. Symfony validates the Host against trusted hosts when you call (new RequestContext())->fromRequest($request) a few lines above.

[Simperfit]

@bwegrzyn Do you want to try to provide a pull request to fix this ?