Piwik config should contain a list of valid hosts (where the Piwik server resides) to either validate $_SERVER['HTTP_HOST'], or use in place of, when generating absolute URLs.
maybe we should do like Wordpress and require users to specify the piwik URL and never rely on HTTP_HOST ?
It's quite less user friendly to do so, but maybe useful?
Sure, we can make it configureable.
We can also set it initially using the URL at the time of installation, and/or the first website's URL.
(In ) refs #3080 - backend implementation of trusted_hosts validation; need front-end UI for runtime configuration
Well done vipsoft, excellent improvement! :)
Is there any other work appart from updating FAQ, to do before closing the ticket?
Is there any other work appart from updating FAQ?
(In ) Refs #3080
Specification for fixing this issue nicely:
Anytime in Piwik reports or admin
After the installation when using Piwik, when the Host is different from recorded PiwiK URL, display a yellow warning, that warns users about possible Host hijack, and link to edit the hostname (to make migration still easy for users).
You are now accessing Piwik from http://injected-host/path/piwik, but Piwik has been configured to run this address: <a>http://valid-host/path/piwik</a>.
(if user is super user) Piwik may be misconfigured (for example, if Piwik was recently migrated to a new server or URL). You can either Use $injected-host as the valid Piwik hostname, or go to $valid-host to access Piwik safely.
(if not super user) <a>Click to http://valid-host/path/piwik</a> to access Piwik safely and remove this warning. You may also contact your Piwik administrator and notify them about this warning (<a href="mailto:superuser@host?subject=Piwik Hostname Message at this URL URL: http://$injected-host/path/piwik">click here to email</a>).
New simple Admin UI
Allows Super user only to view & change valid Piwik hostname.
It is NOT safe to to whitelist hostnames without extension eg "mydev" or "server-test-001".
The config file currently allows to specify several hostnames:
; List of trusted hosts (eg domain or subdomain names) when generating absolute URLs.
;trusted_hosts = example.com
;trusted_hosts = stats.example.com
add an installation test that curl's to http://127.0.0.1/piwik-path/some-static-resource
Important security: as well as displaying notice when header is injected in UI, we should ensure that Password reset emails should only be sent with trusted hosts
See also #3220
Increasing priority since it has security implications and will improve general safety.
I updated the spec at #3080
This is high priority for 1.9.1 Must do :)
(In ) Refs #3080, added trusted host admin UI, display warning in login, normal & admin screens if hostname is not trusted, and make sure password reset is not possible if hostname is not trusted.
My last commit does everything necessary for this ticket, only thing left is the FAQ entry and Learn more link. However, I added a description to the Trusted Hosts admin section, so maybe it's not needed anymore?
Piwik shouldn't be allowed to run with a empty trusted_host, or this security won't be used! So whenhever Piwik is accessed with empty trusted_host AND the hostname is set AND the user is super user, then we should write the current host as trusted_host.
signature of getCurrentHost was changed but it's still called with old signature in Mail.php and Nonce.php
The default view, for 99% of users, will have only one hostname. So, the default view should be something very simple such as:
UX: You can either use XX as the valid Piwik hostname --> Should be more clear and instructional maybe "Click here, then Add a new Hostname 'XXXX' if you trust it" or similar. All UIs should be clear on the next step to fix the issue :-)
(In ) Fixes #3080, add config option to disable trusted_hosts check, tweak many translations, modify UI to display one input w/ a label if only one trusted host is set (or if there's an injected host), set trusted host to Host if no stored trusted hosts and user is superuser, and don't use regex to check host.
(In ) Refs #3080, UI tweaks.
 refs this ticket, not #1823.
(In ) Refs #3080, get tests to pass and use previous regex code (w/ escaping) instead of forloop.
(In ) Refs #3080, fix regression in install process.
(In ) Refs #3080
(In ) Fixes #3478 We cannot apparently set the value of a config file section directly, it fails for some php versions which don't understand the &__get() magic function.. Refs #3080
Refactoring the two setters into one helper function
Also fixing notice in graph code