Skip to content
This repository has been archived by the owner on Jan 8, 2020. It is now read-only.

Hostname route ignore HTTP_HOST and give SERVER_NAME precedence #4581

Closed
wants to merge 7 commits into from
Closed

Hostname route ignore HTTP_HOST and give SERVER_NAME precedence #4581

wants to merge 7 commits into from

Conversation

mbn18
Copy link
Contributor

@mbn18 mbn18 commented Jun 3, 2013

Web servers that are configured to accept more then one name for a virtual host, pass the following variables:

SERVER_NAME - the virtual host primary name

  • In Apache -> ServerName domain.com (other names under ServerAlias )
  • In Nginx, the first value of: server_name will-be-servername.com will-not-be-servername.com

HTTP_HOST - the requested domain in the URL

As discussed with @DASPRiD, HTTP_HOST need to be checked first to verify what domain was asked by the client.

@weierophinney raised concern about the host header being spoofed. The Q is, even if so, do we have an alternative?

Extra info about the subject:
http://shiflett.org/blog/2006/mar/server-name-versus-http-host

mbn18 added 5 commits June 3, 2013 18:21
@mbn18
Fix Request.php so HTTP_HOST will take precedence over SERVER_NAME
d3f2fe7 
In nginx for example the SERVER_NAME is the first value which is configured after server_name

for example:
server_name server1.com server2.com serverN.com

SERVER_NAME in php env will be server1.com
While HTTP_HOST will be the requested URL
@mbn18
Update Request.php
0608fe6
@mbn18
Update Request.php
5f3989f
@mbn18
Update Request.php
eb039e1
@mbn18
Update RequestTest.php
728eea5
@DASPRiD
Copy link
Member

DASPRiD commented Jun 6, 2013

To clear the "problem" about spoofing:

The general problem is, that HTTP_HOST can contain any value the user supplies (it's simply not trust-able). This is not a real problem here though, since we have two things we know:

  • There's usually a VirtualHost (different webservers, same concept) backing the application. This one usually only allows a fixed list of domain names. When HTTP_HOST is spoofed, the VirtualHost will simply not match, so no problem there.
  • In case we get a spoofed HTTP_HOST into the application, we are still fine. For routing, the HTTP_HOST is only used for matching. If the HTTP_HOST matches no (existing) hostname route, the user will simply get a 404 response.

The only problem we have is if the developer uses the request object to output the HTTP_HOST in a view or so, and it is spoofed with JavaScript code or such. But that is usual output escaping. I would only suggest one thing, to make sure we don't let any invalid HTTP_HOST through:

Within the Zend\Http\PhpEnvironment\Request, when finding an HTTP_HOST header, we should verify that it is valid, using Zend\Validator\Hostname. The only question would be, if we should either throw an exception when it is invalid, or just ignore the value in that case. Personally I tend to throw an exception, as we should terminate any possible attack as early as possible.

@weierophinney: Any thoughts about it?

@DASPRiD
Copy link
Member

DASPRiD commented Jun 8, 2013

@mbn18 I talked with @weierophinney about this at DPC. The way I suggested would be fine to him (including the validation). Would you be able to to this until Monday or Tuesday?

@mbn18
Copy link
Contributor Author

mbn18 commented Jun 9, 2013

@DASPRiD Yes, will spare some time tomorrow. But first will try to catch you on the IRC

@mbn18
Update RequestTest.php
be6c9d3 
Added test for spoofed HTTP_HOST
@mbn18
Update Request.php
b8abbb9
@mbn18
Copy link
Contributor Author

mbn18 commented Jun 10, 2013

Ok, I added a hostname validator and splited the elseif from its chain.
If the validation fail, the next (new) if kick in and set the SERVER_NAME.

Also added a malformed test

weierophinney
weierophinney reviewed Jun 10, 2013
View reviewed changes
library/Zend/Http/PhpEnvironment/Request.php
array(
'allow'=>\Zend\Validator\Hostname::ALLOW_ALL,
'useIdnCheck'=>false,
'useTldCheck'=>false
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add spaces around the => operator.

@ghost ghost assigned weierophinney Jun 10, 2013
weierophinney added a commit that referenced this pull request Jun 10, 2013
@weierophinney
Merge pull request #4581 from mbn18/master
6260787 
Hostname route ignore HTTP_HOST and give SERVER_NAME precedence
weierophinney added a commit that referenced this pull request Jun 10, 2013
@weierophinney
[#4581] CS fixes, composer updates
7c375d8 
- Import hostname validator
- CS around arguments for hostname validator constructor
- Added zend-validator to required components, as it's used for hostname
  validation
weierophinney added a commit that referenced this pull request Jun 10, 2013
@weierophinney
Merge branch 'hotfix/4581' into develop
a999a69 
Forward port #4581
@weierophinney
Copy link
Member

All feedback I provided was incorporated during merge.

weierophinney added a commit to zendframework/zend-http that referenced this pull request May 15, 2015
@weierophinney
Merge pull request zendframework/zendframework#4581 from mbn18/master
1a64dce 
Hostname route ignore HTTP_HOST and give SERVER_NAME precedence
weierophinney added a commit to zendframework/zend-http that referenced this pull request May 15, 2015
@weierophinney
[zendframework/zendframework#4581] CS fixes, composer updates
c1e2788 
- Import hostname validator
- CS around arguments for hostname validator constructor
- Added zend-validator to required components, as it's used for hostname
  validation
weierophinney added a commit to zendframework/zend-http that referenced this pull request May 15, 2015
@weierophinney
Merge branch 'hotfix/4581'
52b821e 
Close zendframework/zendframework#4581
weierophinney added a commit to zendframework/zend-http that referenced this pull request May 15, 2015
@weierophinney
Merge branch 'hotfix/4581' into develop
cb6a993 
Forward port zendframework/zendframework#4581
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@weierophinney weierophinney

Labels
None yet
Projects
None yet
Milestone
2.2.1
Development

Successfully merging this pull request may close these issues.
3 participants
@mbn18 @DASPRiD @weierophinney