Skip to content
Permalink
Browse files
Add app.trustedHosts config and force host checks on password reset (#…
…5423)

Add app.trustedHosts config and force host checks on backend password reset.

Related: octobercms/library@f29865a
(cherry picked from commit f555ab6)
  • Loading branch information
bennothommo authored and Luke Towers committed Jan 4, 2021
1 parent ea67b61 commit f638d3f78cfe91d7f6658820f9d5e424306a3db0
Showing with 45 additions and 0 deletions.
  1. +30 −0 config/app.php
  2. +15 −0 modules/backend/controllers/Auth.php
@@ -43,6 +43,36 @@

'url' => 'http://localhost',

/*
|--------------------------------------------------------------------------
| Trusted hosts
|--------------------------------------------------------------------------
|
| You may specify valid hosts for your application as an array or boolean
| below. This helps prevent host header poisoning attacks.
|
| Possible values:
| - `true`: Trust the host specified in app.url, as well as the "www"
| subdomain, if applicable.
| - `false`: Disable the trusted hosts feature.
| - array: Defines the domains to be trusted hosts. Each item should be
| a string defining a domain, IP address, or a regex pattern.
|
| Example of array values:
|
| 'trustedHosts' => [
| 'example.com', // Matches just example.com
| 'www.example.com', // Matches just www.example.com
| '^(.+\.)?example\.com$', // Matches example.com and all subdomains
| 'https://example.com', // Matches just example.com
| ],
|
| NOTE: Even when set to `false`, this functionality is explicitly enabled
| on the Backend password reset flow for security reasons.
*/

'trustedHosts' => true,

/*
|--------------------------------------------------------------------------
| Application Timezone
@@ -13,6 +13,7 @@
use ValidationException;
use Exception;
use Config;
use October\Rain\Foundation\Http\Middleware\CheckForTrustedHost;

/**
* Authentication controller
@@ -147,6 +148,20 @@ public function restore()
*/
public function restore_onSubmit()
{
// Force Trusted Host verification on password reset link generation
// regardless of config to protect against host header poisoning
$trustedHosts = Config::get('app.trustedHosts', false);
if ($trustedHosts === false) {
$hosts = CheckForTrustedHost::processTrustedHosts(true);

if (count($hosts)) {
Request::setTrustedHosts($hosts);

// Trigger the host validation logic
Request::getHost();
}
}

$rules = [
'login' => 'required|between:2,255'
];

0 comments on commit f638d3f

Please sign in to comment.