Commit
Allow users to explicitly state which Hosts are allowed to be requested via this application instance to avoid Host: header forgery attacks.
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -181,6 +181,14 @@ function stripslashes_recursively(&$array) { | |
} | ||
} | ||
|
||
if (defined('SS_ALLOWED_HOSTS')) { | ||
$all_allowed_hosts = explode(',', SS_ALLOWED_HOSTS); | ||
if (!in_array($_SERVER['HTTP_HOST'], $all_allowed_hosts)) { | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
dhensby
Contributor
|
||
header('HTTP/1.1 400 Invalid Host', true, 400); | ||
die(); | ||
} | ||
} | ||
|
||
/** | ||
* Define system paths | ||
*/ | ||
|
A few questions:
isset($_SERVER['HTTP_HOST'])
here?.htaccess
level?