Skip to content
Permalink
Browse files Browse the repository at this point in the history
Force UrlGenerator's Root URL to be the base of APP_URL unless overriden
(For v5)
  • Loading branch information
uberbrady committed Jan 18, 2022
1 parent f964761 commit 0c4768f
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 0 deletions.
1 change: 1 addition & 0 deletions .env.example
Expand Up @@ -145,6 +145,7 @@ APP_LOG_MAX_FILES=10
APP_LOCKED=false
APP_CIPHER=AES-256-CBC
APP_FORCE_TLS=false
APP_ALLOW_INSECURE_HOSTS=false
GOOGLE_MAPS_API=
LDAP_MEM_LIM=500M
LDAP_TIME_LIM=600
Expand Down
8 changes: 8 additions & 0 deletions app/Providers/AppServiceProvider.php
Expand Up @@ -43,6 +43,14 @@ public function boot(UrlGenerator $url)
\Log::warning("'APP_FORCE_TLS' is set to true, but 'APP_URL' does not start with 'https://'. Will not force TLS on connections.");
}
}

// TODO - isn't it somehow 'gauche' to check the environment directly; shouldn't we be using config() somehow?
if ( ! env('APP_ALLOW_INSECURE_HOSTS')) { // unless you set APP_ALLOW_INSECURE_HOSTS, you should PROHIBIT forging domain parts of URL via Host: headers
$url_parts = parse_url(config('app.url'));
$root_url = $url_parts['scheme'].'://'.$url_parts['host'].( isset($url_parts['port']) ? ':'.$url_parts['port'] : '');
\URL::forceRootUrl($root_url);
}

Schema::defaultStringLength(191);
Asset::observe(AssetObserver::class);
Accessory::observe(AccessoryObserver::class);
Expand Down

0 comments on commit 0c4768f

Please sign in to comment.