setTrustedHosts() public static method

You should only list the hosts you manage using regexs.
public static setTrustedHosts ( array $hostPatterns )
$hostPatterns array A list of trusted host patterns
Example #1
1
 public function testTrustedHosts()
 {
     // create a request
     $request = Request::create('/');
     // no trusted host set -> no host check
     $request->headers->set('host', 'evil.com');
     $this->assertEquals('evil.com', $request->getHost());
     // add a trusted domain and all its subdomains
     Request::setTrustedHosts(array('^([a-z]{9}\\.)?trusted\\.com$'));
     // untrusted host
     $request->headers->set('host', 'evil.com');
     try {
         $request->getHost();
         $this->fail('Request::getHost() should throw an exception when host is not trusted.');
     } catch (\UnexpectedValueException $e) {
         $this->assertEquals('Untrusted Host "evil.com"', $e->getMessage());
     }
     // trusted hosts
     $request->headers->set('host', 'trusted.com');
     $this->assertEquals('trusted.com', $request->getHost());
     $this->assertEquals(80, $request->getPort());
     $request->server->set('HTTPS', true);
     $request->headers->set('host', 'trusted.com');
     $this->assertEquals('trusted.com', $request->getHost());
     $this->assertEquals(443, $request->getPort());
     $request->server->set('HTTPS', false);
     $request->headers->set('host', 'trusted.com:8000');
     $this->assertEquals('trusted.com', $request->getHost());
     $this->assertEquals(8000, $request->getPort());
     $request->headers->set('host', 'subdomain.trusted.com');
     $this->assertEquals('subdomain.trusted.com', $request->getHost());
     // reset request for following tests
     Request::setTrustedHosts(array());
 }
 public function boot()
 {
     if ($trustedProxies = $this->container->getParameter('kernel.trusted_proxies')) {
         Request::setTrustedProxies($trustedProxies);
     } elseif ($this->container->getParameter('kernel.trust_proxy_headers')) {
         Request::trustProxyData();
         // @deprecated, to be removed in 2.3
     }
     if ($trustedHosts = $this->container->getParameter('kernel.trusted_hosts')) {
         Request::setTrustedHosts($trustedHosts);
     }
 }
Example #3
0
 public function boot()
 {
     if ($trustedProxies = $this->container->getParameter('kernel.trusted_proxies')) {
         Request::setTrustedProxies($trustedProxies);
     }
     if ($this->container->getParameter('kernel.http_method_override')) {
         Request::enableHttpMethodParameterOverride();
     }
     if ($trustedHosts = $this->container->getParameter('kernel.trusted_hosts')) {
         Request::setTrustedHosts($trustedHosts);
     }
 }
Example #4
0
 public function boot()
 {
     ErrorHandler::register(null, false)->throwAt($this->container->getParameter('debug.error_handler.throw_at'), true);
     if ($trustedProxies = $this->container->getParameter('kernel.trusted_proxies')) {
         Request::setTrustedProxies($trustedProxies);
     }
     if ($this->container->getParameter('kernel.http_method_override')) {
         Request::enableHttpMethodParameterOverride();
     }
     if ($trustedHosts = $this->container->getParameter('kernel.trusted_hosts')) {
         Request::setTrustedHosts($trustedHosts);
     }
 }
Example #5
0
 /**
  * Sets up the lists of trusted HTTP Host headers.
  *
  * Since the HTTP Host header can be set by the user making the request, it
  * is possible to create an attack vectors against a site by overriding this.
  * Symfony provides a mechanism for creating a list of trusted Host values.
  *
  * Host patterns (as regular expressions) can be configured throught
  * settings.php for multisite installations, sites using ServerAlias without
  * canonical redirection, or configurations where the site responds to default
  * requests. For example,
  *
  * @code
  * $settings['trusted_host_patterns'] = array(
  *   '^example\.com$',
  *   '^*.example\.com$',
  * );
  * @endcode
  *
  * @param \Symfony\Component\HttpFoundation\Request $request
  *   The request object.
  * @param array $host_patterns
  *   The array of trusted host patterns.
  *
  * @return boolean
  *   TRUE if the Host header is trusted, FALSE otherwise.
  *
  * @see https://www.drupal.org/node/1992030
  * @see \Drupal\Core\Http\TrustedHostsRequestFactory
  */
 protected static function setupTrustedHosts(Request $request, $host_patterns)
 {
     $request->setTrustedHosts($host_patterns);
     // Get the host, which will validate the current request.
     try {
         $host = $request->getHost();
         // Fake requests created through Request::create() without passing in the
         // server variables from the main request have a default host of
         // 'localhost'. If 'localhost' does not match any of the trusted host
         // patterns these fake requests would fail the host verification. Instead,
         // TrustedHostsRequestFactory makes sure to pass in the server variables
         // from the main request.
         $request_factory = new TrustedHostsRequestFactory($host);
         Request::setFactory([$request_factory, 'createRequest']);
     } catch (\UnexpectedValueException $e) {
         return FALSE;
     }
     return TRUE;
 }