Prevent Host header injections

author: Andrey Andreev <narf@devilix.net> 2015-10-26 14:31:38 +0100
committer: Andrey Andreev <narf@devilix.net> 2015-10-31 17:55:30 +0100
commit: 0a6b0661305f20ac1fbd219d43f59193bea90d1d (patch)
tree: ea43dad00c9a93b64ea9c823c0702ddf937fc2d8 /application
parent: 71b1b3f5b2dcc0f4b652e9494e9853b82541ac8c (diff)
1 files changed, 10 insertions, 4 deletions
diff --git a/application/config/config.php b/application/config/config.php
index 479d591a4..4f8f81406 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -11,10 +11,16 @@ defined('BASEPATH') OR exit('No direct script access allowed');
 |
 |	http://example.com/
 |
-| If this is not set then CodeIgniter will try guess the protocol, domain
-| and path to your installation. However, you should always configure this
-| explicitly and never rely on auto-guessing, especially in production
-| environments.
+| WARNING: You MUST set this value!
+|
+| If it is not set, then CodeIgniter will try guess the protocol and path
+| your installation, but due to security concerns the hostname will be set
+| to $_SERVER['SERVER_ADDR'] if available, or localhost otherwise.
+| The auto-detection mechanism exists only for convenience during
+| development and MUST NOT be used in production!
+|
+| If you need to allow multiple domains, remember that this file is still
+| a PHP script and you can easily do that on your own.
 |
 */
 $config['base_url'] = '';
author	Andrey Andreev <narf@devilix.net>	2015-10-26 14:31:38 +0100
committer	Andrey Andreev <narf@devilix.net>	2015-10-31 17:55:30 +0100
commit	0a6b0661305f20ac1fbd219d43f59193bea90d1d (patch)
tree	ea43dad00c9a93b64ea9c823c0702ddf937fc2d8 /application
parent	71b1b3f5b2dcc0f4b652e9494e9853b82541ac8c (diff)