-
TYPO3 uses the values of HTTP_HOST in several places without validating them. This could lead to a situation where links are generated using the host part from HTTP_HOST. Since HTTP_HOST headers are user input and can be spoofed by an attacker, it leads into several potential and actual security issues. To address this, a configuration option for trusted hosts is added, which is evaluated every time getIndpEnv('HTTP_HOST') is called. The configuration option is $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] and can contain either a regular expression or the value "SERVER_NAME" To properly output the exception message in case the trustedHostPattern does not match, we need to adapt the exception handlers slightly to not log information in this case and to actually show the message even in production context to not confuse admins on what is currently going wrong. To not break all existing installations, the default pattern is set to 'SERVER_NAME' which allows all HTTP_HOST values matching the SERVER_NAME (and optionally the SERVER_PORT if a port is specified in the HTTP_HOST value). This will secure all installation which use properly configured name based virtual hosts, but leaves installations where the web server is not bound to a specific host name still in an insecure state. Fixes: #30377 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Bulletin: TYPO3-CORE-SA-2014-001 Change-Id: Id210212e6fbd186a273f92b340d5060e9c6f900d Reviewed-on: https://review.typo3.org/30275 Reviewed-by: Oliver Hader Tested-by: Oliver Hader55d5f385
