[TYPO3-english] config.baseURL match

Wed Jul 7 21:20:47 CEST 2010

Hi,

On Wed, Jul 7, 2010 at 11:48 AM, Victor Livakovsky <v-tyok at mail.ru> wrote:
> Hi.
>
>>> So, the solution should be this:
>>> baseURL.data = getIndpEnv : HTTP_HOST
>>>
>>> Cheers.
>>
>> There are two problems with this:
>>
>> 1. config.baseURL does NOT have .stdWrap, so the above code simply
>> will not work [1], and
>
> You're right - I didn't look at TSref before answer. It has 'string' type.
>
>
>> 2. setting config.baseURL on the basis of the request may cause
>> security problems [2]
>
> Mmm... Does it?
> xxx.data = getIndpEnv : HTTP_HOST does same as
> t3lib_div::getIndpEnv('HTTP_HOST')
> So,  t3lib_div::getIndpEnv('HTTP_HOST') also non-secure way to achieve
> server's host?


I don't have a copy of the most recent source handy, but as of TYPO3
4.0 (quite old now, but the only online version at typo3.org that I
can find!), the relevant code from 3lib_div::getIndpEnv() does rely on
$_SERVER["HTTP_HOST"] (this was supposed to be the problem):

03038                                 // These are let through without
modification
03039                         case 'REMOTE_ADDR':
03040                         case 'REMOTE_HOST':
03041                         case 'HTTP_REFERER':
03042                         case 'HTTP_HOST':
03043                         case 'HTTP_USER_AGENT':
03044                         case 'HTTP_ACCEPT_LANGUAGE':
03045                         case 'QUERY_STRING':
03046                                 $retVal = $_SERVER[$getEnvName];
03047                         break;

-- 
Christopher Torgalson
http://www.typo3apprentice.com/