diff options
| -rw-r--r-- | application/config/config.php | 8 | ||||
| -rw-r--r-- | system/core/Config.php | 4 | ||||
| -rw-r--r-- | user_guide_src/source/changelog.rst | 1 | ||||
| -rw-r--r-- | user_guide_src/source/general/environments.rst | 2 |
4 files changed, 10 insertions, 5 deletions
diff --git a/application/config/config.php b/application/config/config.php index f02856544..675cb4fa2 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -47,11 +47,13 @@ defined('BASEPATH') OR exit('No direct script access allowed'); | | http://example.com/ | -| If this is not set then CodeIgniter will guess the protocol, domain and -| path to your installation. +| If this is not set then CodeIgniter will try guess the protocol, domain +| and path to your installation. However, you should always configure this +| explicitly and never rely on auto-guessing, especially in production +| environments. | */ -$config['base_url'] = ''; +$config['base_url'] = ''; /* |-------------------------------------------------------------------------- diff --git a/system/core/Config.php b/system/core/Config.php index 02e6dd84f..d8a606c14 100644 --- a/system/core/Config.php +++ b/system/core/Config.php @@ -87,7 +87,9 @@ class CI_Config { // Set the base_url automatically if none was provided if (empty($this->config['base_url'])) { - if (isset($_SERVER['HTTP_HOST'])) + // The regular expression is only a basic validation for a valid "Host" header. + // It's not exhaustive, only checks for valid characters. + if (isset($_SERVER['HTTP_HOST']) && preg_match('/^((\[[0-9a-f:]+\])|(\d{1,3}(\.\d{1,3}){3})|[a-z0-9\-\.]+)(:\d+)?$/i', $_SERVER['HTTP_HOST'])) { $base_url = (is_https() ? 'https' : 'http').'://'.$_SERVER['HTTP_HOST'] .substr($_SERVER['SCRIPT_NAME'], 0, strpos($_SERVER['SCRIPT_NAME'], basename($_SERVER['SCRIPT_FILENAME']))); diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index f57e244b1..909c3bc3c 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -503,6 +503,7 @@ Release Date: Not Released - Removed internal method ``_assign_to_config()`` and moved its implementation to *CodeIgniter.php* instead. - ``item()`` now returns NULL instead of FALSE when the required config item doesn't exist. - Added an optional second parameter to both ``base_url()`` and ``site_url()`` that allows enforcing of a protocol different than the one in the *base_url* configuration setting. + - Added HTTP "Host" header character validation to prevent cache poisoning attacks when ``base_url`` auto-detection is used. - :doc:`Security Library <libraries/security>` changes include: diff --git a/user_guide_src/source/general/environments.rst b/user_guide_src/source/general/environments.rst index d74ebb8d5..1ce4fde3a 100644 --- a/user_guide_src/source/general/environments.rst +++ b/user_guide_src/source/general/environments.rst @@ -20,7 +20,7 @@ the value provided in ``$_SERVER['CI_ENV']``, otherwise defaults to This server variable can be set in your .htaccess file, or Apache config using `SetEnv <https://httpd.apache.org/docs/2.2/mod/mod_env.html#setenv>`_. Alternative methods are available for nginx and other servers, or you can -remove this logic entirely and set the constant based on the HTTP_HOST or IP. +remove this logic entirely and set the constant based on the server's IP address. In addition to affecting some basic framework behavior (see the next section), you may use this constant in your own development to |