[SECURITY] Add trusted HTTP_HOST configuration 07/30307/2
authorHelmut Hummel <helmut.hummel@typo3.org>
Thu, 22 May 2014 07:34:08 +0000 (09:34 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 22 May 2014 07:34:12 +0000 (09:34 +0200)
commitab7a9f8515b9e5e69067b9c74679b69e3533b0d0
tree283db6e1fcf0be33b580fe8a2d9a531139a46cbe
parent3858e46105bf0921d188d47f92b065579eba78f1
[SECURITY] Add trusted HTTP_HOST configuration

TYPO3 uses the values of HTTP_HOST in several
places without validating them. This could
lead to a situation where links are generated
using the host part from HTTP_HOST.

Since HTTP_HOST headers are user input and
can be spoofed by an attacker, it leads
into several potential and actual security issues.

To address this, a configuration option for
trusted hosts is added, which is evaluated every
time getIndpEnv('HTTP_HOST') is called.

The configuration option is

$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']

and can contain either a regular expression or the
value "SERVER_NAME"

To properly output the exception message in case
the trustedHostPattern does not match,
we need to adapt the exception handlers slightly
to not log information in this case and to actually
show the message even in production context to not
confuse admins on what is currently going wrong.

To not break all existing installations, the default
pattern is set to 'SERVER_NAME' which allows all
HTTP_HOST values matching the SERVER_NAME (and
optionally the SERVER_PORT if a port is specified
in the HTTP_HOST value).

This will secure all installation which use properly
configured name based virtual hosts, but leaves
installations where the web server is not bound
to a specific host name still in an insecure state.

Change-Id: I42fe77fe919755942636108a71c31175647449a9
Fixes: #30377
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30307
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/core/Build/Configuration/FunctionalTestsConfiguration.php
typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
typo3/sysext/core/Classes/Error/ProductionExceptionHandler.php
typo3/sysext/core/Classes/Messaging/AbstractStandaloneMessage.php
typo3/sysext/core/Classes/Utility/GeneralUtility.php
typo3/sysext/core/Configuration/DefaultConfiguration.php
typo3/sysext/core/Tests/Unit/Utility/Fixtures/GeneralUtilityFixture.php [new file with mode: 0644]
typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php