[TYPO3-english] config.baseURL match
Christopher Torgalson
bedlamhotel at gmail.com
Wed Jul 7 21:20:47 CEST 2010
Hi,
On Wed, Jul 7, 2010 at 11:48 AM, Victor Livakovsky <v-tyok at mail.ru> wrote:
> Hi.
>
>>> So, the solution should be this:
>>> baseURL.data = getIndpEnv : HTTP_HOST
>>>
>>> Cheers.
>>
>> There are two problems with this:
>>
>> 1. config.baseURL does NOT have .stdWrap, so the above code simply
>> will not work [1], and
>
> You're right - I didn't look at TSref before answer. It has 'string' type.
>
>
>> 2. setting config.baseURL on the basis of the request may cause
>> security problems [2]
>
> Mmm... Does it?
> xxx.data = getIndpEnv : HTTP_HOST does same as
> t3lib_div::getIndpEnv('HTTP_HOST')
> So, t3lib_div::getIndpEnv('HTTP_HOST') also non-secure way to achieve
> server's host?
I don't have a copy of the most recent source handy, but as of TYPO3
4.0 (quite old now, but the only online version at typo3.org that I
can find!), the relevant code from 3lib_div::getIndpEnv() does rely on
$_SERVER["HTTP_HOST"] (this was supposed to be the problem):
03038 // These are let through without
modification
03039 case 'REMOTE_ADDR':
03040 case 'REMOTE_HOST':
03041 case 'HTTP_REFERER':
03042 case 'HTTP_HOST':
03043 case 'HTTP_USER_AGENT':
03044 case 'HTTP_ACCEPT_LANGUAGE':
03045 case 'QUERY_STRING':
03046 $retVal = $_SERVER[$getEnvName];
03047 break;
--
Christopher Torgalson
http://www.typo3apprentice.com/
More information about the TYPO3-english
mailing list