[TYPO3-core] trustedHostsPattern

Christian Kuhn lolli at schwarzbu.ch
Fri May 8 18:23:30 CEST 2015


Hey.

On 08.05.2015 17:54, Thomas Ruta wrote:
> 'trustedHostsPattern' => $_SERVER["HTTP_HOST"],

This is NOT a good idea!

You basically open the attack vector the setting wants to close. The 
whole point is that $_SERVER["HTTP_HOST"] is not trustworthy and thus is 
compared with the introduced 'trustedHostsPattern'. If you do not know 
exactly what you are doing, the above hack must not be used, is highly 
discouraged and opens a security hole.

Here is the documentation from the install tool for this setting again 
helping you to set this to a value that secures your instance:

Regular expression pattern that matches all allowed hostnames (including 
their ports) of this TYPO3 installation, or the string "SERVER_NAME" 
(default). The default value SERVER_NAME checks if the HTTP Host header 
equals the SERVER_NAME and SERVER_PORT. This is secure in correctly 
configured hosting environments and does not need further configuration. 
If you cannot change your hosting environment, you can enter a regular 
expression here. Examples: .*\.domain\.com matches all hosts that end 
with .domain.com with all corresponding subdomains. 
(.*\.domain|.*\.otherdomain)\.com matches all hostnames with subdomains 
from .domain.com and .otherdomain.com. Be aware that HTTP Host header 
may also contain a port. If your installation runs on a specific port, 
you need to explicitly allow this in your pattern, e.g. 
www\.domain\.com:88 allows only www.domain.com:88, not www.domain.com. 
To disable this check completely (not recommended because it is 
insecure) you can use ".*" as pattern.


Regards
Christian


More information about the TYPO3-team-core mailing list