Commit 583d1bfd authored by Dietrich Heise's avatar Dietrich Heise Committed by Markus Klein
Browse files

[BUGFIX] Add case insensitive flag to trustedHostsPattern

Releases: master, 6.2, 4.5
Resolves: #59186
Change-Id: Iaa973faf5b3f287320fb187c3db2d8e30a486735
Reviewed-on: http://review.typo3.org/35484


Reviewed-by: Mathias Schreiber's avatarMathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Mathias Schreiber's avatarMathias Schreiber <mathias.schreiber@wmdb.de>
Reviewed-by: default avatarMarkus Klein <klein.t3@reelworx.at>
Tested-by: default avatarMarkus Klein <klein.t3@reelworx.at>
parent b2c673b1
......@@ -4241,14 +4241,14 @@ final class t3lib_div {
$defaultPort = self::getIndpEnv('TYPO3_SSL') ? '443' : '80';
$parsedHostValue = parse_url('http://' . $hostHeaderValue);
if (isset($parsedHostValue['port'])) {
self::$allowHostHeaderValue = ($parsedHostValue['host'] === $_SERVER['SERVER_NAME'] && (string)$parsedHostValue['port'] === $_SERVER['SERVER_PORT']);
self::$allowHostHeaderValue = (strtolower($parsedHostValue['host']) === strtolower($_SERVER['SERVER_NAME']) && (string)$parsedHostValue['port'] === $_SERVER['SERVER_PORT']);
} else {
self::$allowHostHeaderValue = ($hostHeaderValue === $_SERVER['SERVER_NAME'] && $defaultPort === $_SERVER['SERVER_PORT']);
self::$allowHostHeaderValue = (strtolower($hostHeaderValue) === strtolower($_SERVER['SERVER_NAME']) && $defaultPort === $_SERVER['SERVER_PORT']);
}
} else {
// In case name based virtual hosts are not possible, we allow setting a trusted host pattern
// See https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/ for further details
self::$allowHostHeaderValue = (bool)preg_match('/^' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] . '$/', $hostHeaderValue);
self::$allowHostHeaderValue = (bool)preg_match('/^' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] . '$/i', $hostHeaderValue);
}
return self::$allowHostHeaderValue;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment