[TYPO3-core] trustedHostsPattern
Christian Kuhn
lolli at schwarzbu.ch
Fri May 8 18:23:30 CEST 2015
Hey.
On 08.05.2015 17:54, Thomas Ruta wrote:
> 'trustedHostsPattern' => $_SERVER["HTTP_HOST"],
This is NOT a good idea!
You basically open the attack vector the setting wants to close. The
whole point is that $_SERVER["HTTP_HOST"] is not trustworthy and thus is
compared with the introduced 'trustedHostsPattern'. If you do not know
exactly what you are doing, the above hack must not be used, is highly
discouraged and opens a security hole.
Here is the documentation from the install tool for this setting again
helping you to set this to a value that secures your instance:
Regular expression pattern that matches all allowed hostnames (including
their ports) of this TYPO3 installation, or the string "SERVER_NAME"
(default). The default value SERVER_NAME checks if the HTTP Host header
equals the SERVER_NAME and SERVER_PORT. This is secure in correctly
configured hosting environments and does not need further configuration.
If you cannot change your hosting environment, you can enter a regular
expression here. Examples: .*\.domain\.com matches all hosts that end
with .domain.com with all corresponding subdomains.
(.*\.domain|.*\.otherdomain)\.com matches all hostnames with subdomains
from .domain.com and .otherdomain.com. Be aware that HTTP Host header
may also contain a port. If your installation runs on a specific port,
you need to explicitly allow this in your pattern, e.g.
www\.domain\.com:88 allows only www.domain.com:88, not www.domain.com.
To disable this check completely (not recommended because it is
insecure) you can use ".*" as pattern.
Regards
Christian
More information about the TYPO3-team-core
mailing list