[TYPO3-core] Passed: TYPO3/TYPO3.CMS#3176 (sandbox/helhum/tusted-hosts-domain-records - 5285b07)

Travis CI notifications at travis-ci.org
Thu Jun 5 13:22:10 CEST 2014

Build Update for TYPO3/TYPO3.CMS

Build: #3176
Status: Passed

Duration: 6 minutes and 12 seconds
Commit: 5285b07 (sandbox/helhum/tusted-hosts-domain-records)
Author: Helmut Hummel
Message: [SECURITY] Add trusted HTTP_HOST configuration

TYPO3 uses the values of HTTP_HOST in several
places without validating them. This could
lead to a situation where links are generated
using the host part from HTTP_HOST.

Since HTTP_HOST headers are user input and
can be spoofed by an attacker, it leads
into several potential and actual security issues.

To address this, a configuration option for
trusted hosts is added, which is evaluated every
time getIndpEnv('HTTP_HOST') is called.

To properly output the exception message in case
the trustedHostPattern does not match,
we need to adapt the exception handlers slightly
to not log information in this case and to actually
show the message even in production context to not
confuse admins on what is currently going wrong.

To not break all existing installations, the default
pattern will still allow all hosts, leaving the
installation in an insecure state.

To activate the security setting, admins need to set
a pattern that matches all trusted hosts for the
given installation in the following configuration:


For convenience the pattern is auto generated from
domain records, if the default configuration is in place.

IMPORTANT: In the rare (and useless) case that
the TYPO3 installation has domain records, but NONE
of them match the requested host, this change will
BREAK this install completely.

Resolves: #30377
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: Ia55aad71a5b997c6a225c7996290ec887aa9f115

View the changeset: https://github.com/TYPO3/TYPO3.CMS/commit/5285b07e800b

View the full build log and details: https://travis-ci.org/TYPO3/TYPO3.CMS/builds/26844000


You can configure recipients for build notifications in your .travis.yml file. See http://docs.travis-ci.com/user/notifications

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20140605/3d8c08d2/attachment.htm>

More information about the TYPO3-team-core mailing list