You should only list the hosts you manage using regexs.
public static setTrustedHosts ( array $hostPatterns ) | ||
$hostPatterns | array | A list of trusted host patterns |
public function testTrustedHosts() { // create a request $request = Request::create('/'); // no trusted host set -> no host check $request->headers->set('host', 'evil.com'); $this->assertEquals('evil.com', $request->getHost()); // add a trusted domain and all its subdomains Request::setTrustedHosts(array('^([a-z]{9}\\.)?trusted\\.com$')); // untrusted host $request->headers->set('host', 'evil.com'); try { $request->getHost(); $this->fail('Request::getHost() should throw an exception when host is not trusted.'); } catch (\UnexpectedValueException $e) { $this->assertEquals('Untrusted Host "evil.com"', $e->getMessage()); } // trusted hosts $request->headers->set('host', 'trusted.com'); $this->assertEquals('trusted.com', $request->getHost()); $this->assertEquals(80, $request->getPort()); $request->server->set('HTTPS', true); $request->headers->set('host', 'trusted.com'); $this->assertEquals('trusted.com', $request->getHost()); $this->assertEquals(443, $request->getPort()); $request->server->set('HTTPS', false); $request->headers->set('host', 'trusted.com:8000'); $this->assertEquals('trusted.com', $request->getHost()); $this->assertEquals(8000, $request->getPort()); $request->headers->set('host', 'subdomain.trusted.com'); $this->assertEquals('subdomain.trusted.com', $request->getHost()); // reset request for following tests Request::setTrustedHosts(array()); }
public function boot() { if ($trustedProxies = $this->container->getParameter('kernel.trusted_proxies')) { Request::setTrustedProxies($trustedProxies); } elseif ($this->container->getParameter('kernel.trust_proxy_headers')) { Request::trustProxyData(); // @deprecated, to be removed in 2.3 } if ($trustedHosts = $this->container->getParameter('kernel.trusted_hosts')) { Request::setTrustedHosts($trustedHosts); } }
public function boot() { if ($trustedProxies = $this->container->getParameter('kernel.trusted_proxies')) { Request::setTrustedProxies($trustedProxies); } if ($this->container->getParameter('kernel.http_method_override')) { Request::enableHttpMethodParameterOverride(); } if ($trustedHosts = $this->container->getParameter('kernel.trusted_hosts')) { Request::setTrustedHosts($trustedHosts); } }
public function boot() { ErrorHandler::register(null, false)->throwAt($this->container->getParameter('debug.error_handler.throw_at'), true); if ($trustedProxies = $this->container->getParameter('kernel.trusted_proxies')) { Request::setTrustedProxies($trustedProxies); } if ($this->container->getParameter('kernel.http_method_override')) { Request::enableHttpMethodParameterOverride(); } if ($trustedHosts = $this->container->getParameter('kernel.trusted_hosts')) { Request::setTrustedHosts($trustedHosts); } }
/** * Sets up the lists of trusted HTTP Host headers. * * Since the HTTP Host header can be set by the user making the request, it * is possible to create an attack vectors against a site by overriding this. * Symfony provides a mechanism for creating a list of trusted Host values. * * Host patterns (as regular expressions) can be configured throught * settings.php for multisite installations, sites using ServerAlias without * canonical redirection, or configurations where the site responds to default * requests. For example, * * @code * $settings['trusted_host_patterns'] = array( * '^example\.com$', * '^*.example\.com$', * ); * @endcode * * @param \Symfony\Component\HttpFoundation\Request $request * The request object. * @param array $host_patterns * The array of trusted host patterns. * * @return boolean * TRUE if the Host header is trusted, FALSE otherwise. * * @see https://www.drupal.org/node/1992030 * @see \Drupal\Core\Http\TrustedHostsRequestFactory */ protected static function setupTrustedHosts(Request $request, $host_patterns) { $request->setTrustedHosts($host_patterns); // Get the host, which will validate the current request. try { $host = $request->getHost(); // Fake requests created through Request::create() without passing in the // server variables from the main request have a default host of // 'localhost'. If 'localhost' does not match any of the trusted host // patterns these fake requests would fail the host verification. Instead, // TrustedHostsRequestFactory makes sure to pass in the server variables // from the main request. $request_factory = new TrustedHostsRequestFactory($host); Request::setFactory([$request_factory, 'createRequest']); } catch (\UnexpectedValueException $e) { return FALSE; } return TRUE; }