Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for limiting allowed hosts #7649

Closed
asmecher opened this issue Jan 25, 2022 · 3 comments
Closed

Add support for limiting allowed hosts #7649

asmecher opened this issue Jan 25, 2022 · 3 comments
Assignees
Labels
Bug:3:Critical A bug that prevents a substantial minority of users from using the software.
Milestone

Comments

@asmecher
Copy link
Member

asmecher commented Jan 25, 2022

Description of problem

OJS/OMP/OPS currently uses the HTTP_HOST, SERVER_NAME, and HTTP_X_FORWARDED_HOST headers to detect the current hostname for formulating absolute URLs.

Per https://portswigger.net/web-security/host-header, these headers may be user-controlled and thus not trustworthy. This could be used to e.g. send password reset emails with poisoned links that direct the user to a 3rd-party site, where the reset hash can be captured. (We are not currently aware of another possible abuse via this mechanism.)

Thanks to Hemant Kashyap for reporting the issue.

Solution

The changes described here add support for a list of allowed host names to be provided in the config.inc.php configuration file. User-supplied values are checked against this list and only one of the listed values will be allowed.

Affected versions

This issue affects all releases of OJS, OMP, and OPS versions 3.3.0-8 and older.

How to resolve the issue

  1. Update the code to support the new allowed_hosts setting. This can be done by any of the following...
    1. Upgrade OJS, OMP, or OPS to version 3.3.0-9 or newer, or
    2. If using git, update to the latest stable-3_3_0 or stable-3_2_1 branches, or
    3. Apply the appropriate patch for your installation:
  2. Add an allowed_hosts setting to the general section of your config.inc.php configuration file. Here is the description/example from config.TEMPLATE.inc.php:
; Restrict the list of allowed hosts to prevent HOST header injection.
; See docs/README.md for more details. The list should be JSON-formatted.
; An empty string indicates that all hosts should be trusted (not recommended!)
; Example:
; allowed_hosts = '["myjournal.tld", "anotherjournal.tld", "mylibrary.tld"]'
allowed_hosts = ''
  1. You can test whether or not the configuration is working by intentionally misconfiguring allowed_hosts. Attempting to load a page from the software should result in a 400 Bad Request error page.

Commits/pull requests

(This is for tracking development work on the issue; you likely don't need to know this.)

PRs/commits:

@asmecher asmecher added this to the 3.3.0-9 milestone Jan 25, 2022
@asmecher asmecher self-assigned this Jan 25, 2022
asmecher added a commit to asmecher/pkp-lib that referenced this issue Jan 25, 2022
asmecher added a commit to asmecher/ojs that referenced this issue Jan 25, 2022
asmecher added a commit to asmecher/ojs that referenced this issue Jan 25, 2022
@asmecher asmecher reopened this Jan 25, 2022
asmecher added a commit to asmecher/pkp-lib that referenced this issue Jan 25, 2022
asmecher added a commit to asmecher/ojs that referenced this issue Jan 26, 2022
asmecher added a commit to asmecher/ojs that referenced this issue Jan 26, 2022
asmecher added a commit to asmecher/pkp-lib that referenced this issue Jan 27, 2022
asmecher added a commit to asmecher/ojs that referenced this issue Jan 27, 2022
asmecher added a commit to asmecher/ojs that referenced this issue Jan 27, 2022
@asmecher
Copy link
Member Author

@bozana, would you mind reviewing this before I port to the other apps and older branches? Thanks!

asmecher added a commit to asmecher/pkp-lib that referenced this issue Feb 4, 2022
asmecher added a commit to asmecher/ojs that referenced this issue Feb 4, 2022
asmecher added a commit to asmecher/pkp-lib that referenced this issue Feb 4, 2022
asmecher added a commit to asmecher/ojs that referenced this issue Feb 4, 2022
asmecher added a commit to asmecher/ojs that referenced this issue Feb 4, 2022
asmecher added a commit to asmecher/ojs that referenced this issue Feb 4, 2022
asmecher added a commit to asmecher/ojs that referenced this issue Feb 4, 2022
asmecher added a commit to asmecher/pkp-lib that referenced this issue Feb 4, 2022
asmecher added a commit to asmecher/ojs that referenced this issue Feb 4, 2022
asmecher added a commit to asmecher/pkp-lib that referenced this issue Feb 5, 2022
asmecher added a commit to asmecher/ojs that referenced this issue Feb 5, 2022
asmecher added a commit to asmecher/pkp-lib that referenced this issue Feb 5, 2022
asmecher added a commit to asmecher/ojs that referenced this issue Feb 5, 2022
@barmintor
Copy link

Just want to add that this will also mitigate XSS vulnerabilities, thank you for moving quickly on it!

asmecher added a commit to asmecher/pkp-lib that referenced this issue Feb 9, 2022
asmecher added a commit to asmecher/pkp-lib that referenced this issue Feb 9, 2022
asmecher added a commit that referenced this issue Feb 9, 2022
#7649 Add support for allowed_hosts limits to avoid HOST header injection
asmecher added a commit to pkp/ojs that referenced this issue Feb 9, 2022
pkp/pkp-lib#7649 Add support for allowed_hosts limits to avoid HOST header injection
asmecher added a commit that referenced this issue Feb 9, 2022
#7649 Add support for allowed_hosts limits to avoid HOST header injection
asmecher added a commit to pkp/ojs that referenced this issue Feb 9, 2022
pkp/pkp-lib#7649 Add support for allowed_hosts limits to avoid HOST header injection
asmecher added a commit to pkp/omp that referenced this issue Feb 9, 2022
asmecher added a commit to pkp/omp that referenced this issue Feb 9, 2022
asmecher added a commit to pkp/ojs that referenced this issue Feb 9, 2022
asmecher added a commit to pkp/ojs that referenced this issue Feb 9, 2022
asmecher added a commit to pkp/ops that referenced this issue Feb 9, 2022
asmecher added a commit to pkp/ops that referenced this issue Feb 9, 2022
asmecher added a commit to pkp/omp that referenced this issue Feb 9, 2022
asmecher added a commit to pkp/omp that referenced this issue Feb 9, 2022
asmecher added a commit to pkp/ops that referenced this issue Feb 9, 2022
asmecher added a commit to pkp/ops that referenced this issue Feb 9, 2022
asmecher added a commit to pkp/ojs that referenced this issue Feb 28, 2022
asmecher added a commit to pkp/omp that referenced this issue Feb 28, 2022
asmecher added a commit to pkp/ops that referenced this issue Feb 28, 2022
@asmecher asmecher added the Bug:3:Critical A bug that prevents a substantial minority of users from using the software. label Mar 1, 2022
@asmecher asmecher closed this as completed Mar 1, 2022
@jnugent
Copy link
Member

jnugent commented Mar 24, 2022

Hi everyone,

Now that we've gone through and patched all of our own installations I wanted to share the patches we used, based off of @asmecher's work above. For some of those there was a discrepancy in older versions of OJS3 where you'd get a fatal error about not being able to pass by reference. The patch for 3.2 also removes the bits that attempt to patch the readme file that isn't in 3.1.

The original patch for 3.3 works perfectly.

OJS OMP 3.2.1 and 3.2.0: ojs-3.2.1-4.diff.txt
Older OMP/OJS3: older.diff.txt
OJS2: ojs2-allowedHosts.diff.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug:3:Critical A bug that prevents a substantial minority of users from using the software.
Projects
None yet
Development

No branches or pull requests

3 participants