diff --git a/.env.example b/.env.example index 31e3cca14b..e82b5c5bcd 100644 --- a/.env.example +++ b/.env.example @@ -145,6 +145,7 @@ APP_LOG_MAX_FILES=10 APP_LOCKED=false APP_CIPHER=AES-256-CBC APP_FORCE_TLS=false +APP_ALLOW_INSECURE_HOSTS=false GOOGLE_MAPS_API= LDAP_MEM_LIM=500M LDAP_TIME_LIM=600 diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php index c2651c3aef..a74c48e418 100644 --- a/app/Providers/AppServiceProvider.php +++ b/app/Providers/AppServiceProvider.php @@ -43,6 +43,14 @@ class AppServiceProvider extends ServiceProvider \Log::warning("'APP_FORCE_TLS' is set to true, but 'APP_URL' does not start with 'https://'. Will not force TLS on connections."); } } + + // TODO - isn't it somehow 'gauche' to check the environment directly; shouldn't we be using config() somehow? + if ( ! env('APP_ALLOW_INSECURE_HOSTS')) { // unless you set APP_ALLOW_INSECURE_HOSTS, you should PROHIBIT forging domain parts of URL via Host: headers + $url_parts = parse_url(config('app.url')); + $root_url = $url_parts['scheme'].'://'.$url_parts['host'].( isset($url_parts['port']) ? ':'.$url_parts['port'] : ''); + \URL::forceRootUrl($root_url); + } + Schema::defaultStringLength(191); Asset::observe(AssetObserver::class); Accessory::observe(AccessoryObserver::class);