From 0c4768fd2a11ac26a61814cef23a71061bfd8bcc Mon Sep 17 00:00:00 2001
From: Brady Wetherington <bwetherington@grokability.com>
Date: Tue, 18 Jan 2022 15:31:30 -0800
Subject: [PATCH] Force UrlGenerator's Root URL to be the base of APP_URL
 unless overriden (For v5)

---
 .env.example                         | 1 +
 app/Providers/AppServiceProvider.php | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/.env.example b/.env.example
index 31e3cca14b..e82b5c5bcd 100644
--- a/.env.example
+++ b/.env.example
@@ -145,6 +145,7 @@ APP_LOG_MAX_FILES=10
 APP_LOCKED=false
 APP_CIPHER=AES-256-CBC
 APP_FORCE_TLS=false
+APP_ALLOW_INSECURE_HOSTS=false
 GOOGLE_MAPS_API=
 LDAP_MEM_LIM=500M
 LDAP_TIME_LIM=600
diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
index c2651c3aef..a74c48e418 100644
--- a/app/Providers/AppServiceProvider.php
+++ b/app/Providers/AppServiceProvider.php
@@ -43,6 +43,14 @@ class AppServiceProvider extends ServiceProvider
                 \Log::warning("'APP_FORCE_TLS' is set to true, but 'APP_URL' does not start with 'https://'. Will not force TLS on connections.");
             }
         }
+
+        // TODO - isn't it somehow 'gauche' to check the environment directly; shouldn't we be using config() somehow?
+        if ( ! env('APP_ALLOW_INSECURE_HOSTS')) {  // unless you set APP_ALLOW_INSECURE_HOSTS, you should PROHIBIT forging domain parts of URL via Host: headers
+            $url_parts = parse_url(config('app.url'));
+            $root_url = $url_parts['scheme'].'://'.$url_parts['host'].( isset($url_parts['port']) ? ':'.$url_parts['port'] : '');
+            \URL::forceRootUrl($root_url);
+        }
+
         Schema::defaultStringLength(191);
         Asset::observe(AssetObserver::class);
         Accessory::observe(AccessoryObserver::class);