• Helmut Hummel's avatar
    [SECURITY] Add trusted HTTP_HOST configuration · 55d5f385
    Helmut Hummel authored and Oliver Hader's avatar Oliver Hader committed
    TYPO3 uses the values of HTTP_HOST in several
    places without validating them. This could
    lead to a situation where links are generated
    using the host part from HTTP_HOST.
    Since HTTP_HOST headers are user input and
    can be spoofed by an attacker, it leads
    into several potential and actual security issues.
    To address this, a configuration option for
    trusted hosts is added, which is evaluated every
    time getIndpEnv('HTTP_HOST') is called.
    The configuration option is
    and can contain either a regular expression or the
    value "SERVER_NAME"
    To properly output the exception message in case
    the trustedHostPattern does not match,
    we need to adapt the exception handlers slightly
    to not log information in this case and to actually
    show the message even in production context to not
    confuse admins on what is currently going wrong.
    To not break all existing installations, the default
    pattern is set to 'SERVER_NAME' which allows all
    HTTP_HOST values matching the SERVER_NAME (and
    optionally the SERVER_PORT if a port is specified
    in the HTTP_HOST value).
    This will secure all installation which use properly
    configured name based virtual hosts, but leaves
    installations where the web server is not bound
    to a specific host name still in an insecure state.
    Fixes: #30377
    Releases: 6.2, 6.1, 6.0, 4.7, 4.5
    Security-Bulletin: TYPO3-CORE-SA-2014-001
    Change-Id: Id210212e6fbd186a273f92b340d5060e9c6f900d
    Reviewed-on: https://review.typo3.org/30275
    Reviewed-by: Oliver Hader
    Tested-by: Oliver Hader