Permalink
Browse files

Pico::getBaseUrl(): Improve hostname detection with proxies

  • Loading branch information...
1 parent 381b339 commit d9393df4fae2f8480e827ecf8ce8dbb95b9f9f91 @PhrozenByte PhrozenByte committed Nov 23, 2016
Showing with 13 additions and 3 deletions.
  1. +1 −0 CHANGELOG.md
  2. +12 −3 lib/Pico.php
View
@@ -6,6 +6,7 @@ Released: -
```
* [Changed] Improve documentation
+* [Fixed] Improve hostname detection with proxies
```
### Version 1.0.4
View
@@ -1237,6 +1237,10 @@ protected function getTwigVariables()
/**
* Returns the base URL of this Pico instance
*
+ * Security Notice: You MUST configure Pico's base URL explicitly when
+ * using the base URL in contexts that are potentially vulnerable to
+ * HTTP Host Header Injection attacks (e.g. when generating emails).
+ *
* @return string the base url
*/
public function getBaseUrl()
@@ -1256,9 +1260,14 @@ public function getBaseUrl()
$protocol = 'https';
}
- $this->config['base_url'] =
- $protocol . "://" . $_SERVER['HTTP_HOST']
- . rtrim(dirname($_SERVER['SCRIPT_NAME']), '/\\') . '/';
+ $host = $_SERVER['SERVER_NAME'];
+ if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
+ $host = $_SERVER['HTTP_X_FORWARDED_HOST'];
+ } elseif (!empty($_SERVER['HTTP_HOST'])) {
+ $host = $_SERVER['HTTP_HOST'];
+ }
+
+ $this->config['base_url'] = $protocol . "://" . $host . rtrim(dirname($_SERVER['SCRIPT_NAME']), '/\\') . '/';
return $this->getConfig('base_url');
}

0 comments on commit d9393df

Please sign in to comment.