From 0303e91ae562e90c26c721d9454b651673f19746 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Mon, 26 May 2014 15:30:46 +0200 Subject: [PATCH 1/3] Added the documentation for the trusted_hosts option --- reference/configuration/framework.rst | 64 +++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst index 7008ecc8c0d..2f6af3850fc 100644 --- a/reference/configuration/framework.rst +++ b/reference/configuration/framework.rst @@ -19,6 +19,7 @@ Configuration * `http_method_override`_ * `ide`_ * `test`_ +* `trusted_hosts`_ * `trusted_proxies`_ * `form`_ * enabled @@ -114,6 +115,69 @@ services related to testing your application (e.g. ``test.client``) are loaded. This setting should be present in your ``test`` environment (usually via ``app/config/config_test.yml``). For more information, see :doc:`/book/testing`. +.. _reference-framework-trusted-hosts: + +trusted_hosts +~~~~~~~~~~~~~ + +**type**: ``array`` + +The value of the ``$_SERVER['HOST']`` parameter cannot be safely trusted because +users can manipulate it. This option whitelists the hosts that your Symfony +application can respond to. + +.. configuration-block:: + + .. code-block:: yaml + + framework: + trusted_hosts: ['acme.com', 'acme.org'] + + .. code-block:: xml + + + + + + .. code-block:: php + + $container->loadFromExtension('framework', array( + 'trusted_hosts' => array('acme.com', 'acme.org'), + )); + +Hosts can also be configured using regular expressions, which make it easier to +respond to any subdomain: + +.. configuration-block:: + + .. code-block:: yaml + + framework: + trusted_hosts: ['.*\.?acme.com$', '.*\.?acme.org$'] + + .. code-block:: xml + + + + + + .. code-block:: php + + $container->loadFromExtension('framework', array( + 'trusted_hosts' => array('.*\.?acme.com$', '.*\.?acme.org$'), + )); + +In addition, you can also set the trusted hosts in the front controller using +the ``Request::setTrustedHosts()`` method: + +.. code-block:: php + + // web/app.php + Request::setTrustedHosts(array('.*\.?acme.com$', '.*\.?acme.org$')); + +The default value for this option is an empty array, meaning that the application +can respond to any given host. + .. _reference-framework-trusted-proxies: trusted_proxies From 361574a811985ef30d0ed3bfc893e3f4463ef768 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Mon, 26 May 2014 16:22:52 +0200 Subject: [PATCH 2/3] Fixed minor formatting issues --- reference/configuration/framework.rst | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst index 2f6af3850fc..a5479d68009 100644 --- a/reference/configuration/framework.rst +++ b/reference/configuration/framework.rst @@ -115,8 +115,6 @@ services related to testing your application (e.g. ``test.client``) are loaded. This setting should be present in your ``test`` environment (usually via ``app/config/config_test.yml``). For more information, see :doc:`/book/testing`. -.. _reference-framework-trusted-hosts: - trusted_hosts ~~~~~~~~~~~~~ @@ -168,9 +166,7 @@ respond to any subdomain: )); In addition, you can also set the trusted hosts in the front controller using -the ``Request::setTrustedHosts()`` method: - -.. code-block:: php +the ``Request::setTrustedHosts()`` method:: // web/app.php Request::setTrustedHosts(array('.*\.?acme.com$', '.*\.?acme.org$')); From 9fb67665710793a6674445212c34b17e453504a3 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Sat, 5 Jul 2014 16:12:57 +0200 Subject: [PATCH 3/3] Added more information about the risks involved and why this configuration option is useful. The source of this information is the content of this security advisory: http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released#cve-2013-4752-request-gethost-poisoning --- reference/configuration/framework.rst | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst index a5479d68009..0e02b3c0b90 100644 --- a/reference/configuration/framework.rst +++ b/reference/configuration/framework.rst @@ -120,9 +120,16 @@ trusted_hosts **type**: ``array`` -The value of the ``$_SERVER['HOST']`` parameter cannot be safely trusted because -users can manipulate it. This option whitelists the hosts that your Symfony -application can respond to. +A lot of different attacks have been discovered relying on inconsistencies +between the handling of the ``Host`` header by various software (web servers, +reverse proxies, web frameworks, etc.). Basically, everytime the framework is +generating an absolute URL (when sending an email to reset a password for +instance), the host might have been manipulated by an attacker. + +The Symfony Request::getHost() method might be vulnerable to some of these attacks +because it depends on the configuration of your web server. One simple solution +to avoid these attacks is to whitelist the hosts that your Symfony application +can respond to. That's the purpose of this ``trusted_hosts`` option: .. configuration-block:: pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy