FIX Allow users to specify allowed hosts

Allow users to explicitly state which Hosts are allowed to be requested via this application instance to avoid Host: header forgery attacks.
silverstripe · May 28, 2015 · 9c8fa51 · kinglozzer · May 28, 2015 · dhensby
1 parent b21fd84
commit 9c8fa51
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/core/Constants.php b/core/Constants.php
@@ -181,6 +181,14 @@ function stripslashes_recursively(&$array) {
 	}
 }
 
+if (defined('SS_ALLOWED_HOSTS')) {
+	$all_allowed_hosts = explode(',', SS_ALLOWED_HOSTS);
+	if (!in_array($_SERVER['HTTP_HOST'], $all_allowed_hosts)) {
+		header('HTTP/1.1 400 Invalid Host', true, 400);
+		die();
+	}
+}
+
 /**
  * Define system paths
  */

diff --git a/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md b/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
@@ -476,6 +476,17 @@ as well as the login form.
 
 ## Request hostname forgery
 
+To prevent a forged hostname appearing being used by the application, SilverStripe
+allows the configure of a whitelist of hosts that are allowed to access the system. By defining
+this whitelist in your _ss_environment.php file, any request presenting a `Host` header that is
+_not_ in this list will be blocked with a HTTP 400 error:
+
+	:::php
+	define('SS_ALLOWED_HOSTS', 'www.mysite.com,mysite.com,subdomain.mysite.com');
+
+Please note that if this configuration is defined, you _must_ include _all_ subdomains (eg www.)
+that will be accessing the site.
+
 When SilverStripe is run behind a reverse proxy, it's normally necessary for this proxy to
 use the `X-Forwarded-Host` request header to tell the webserver which hostname was originally
 requested. However, when SilverStripe is not run behind a proxy, this header can still be