From 455bc736be6f4c46376a4ecfc42c39e7a061f5e4 Mon Sep 17 00:00:00 2001
From: Brady Wetherington <bwetherington@grokability.com>
Date: Tue, 18 Jan 2022 15:31:30 -0800
Subject: [PATCH] Force UrlGenerator's Root URL to be the base of APP_URL
 unless overriden

---
 .env.example                         | 1 +
 app/Providers/AppServiceProvider.php | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/.env.example b/.env.example
index d61960b959..be2d126777 100644
--- a/.env.example
+++ b/.env.example
@@ -149,6 +149,7 @@ APP_LOG_MAX_FILES=10
 APP_LOCKED=false
 APP_CIPHER=AES-256-CBC
 APP_FORCE_TLS=false
+APP_ALLOW_INSECURE_HOSTS=false
 GOOGLE_MAPS_API=
 LDAP_MEM_LIM=500M
 LDAP_TIME_LIM=600
diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
index 86903e6dda..1069af4a06 100644
--- a/app/Providers/AppServiceProvider.php
+++ b/app/Providers/AppServiceProvider.php
@@ -43,6 +43,13 @@ class AppServiceProvider extends ServiceProvider
             }
         }
 
+        // TODO - isn't it somehow 'gauche' to check the environment directly; shouldn't we be using config() somehow?
+        if ( ! env('APP_ALLOW_INSECURE_HOSTS')) {  // unless you set APP_ALLOW_INSECURE_HOSTS, you should PROHIBIT forging domain parts of URL via Host: headers
+            $url_parts = parse_url(config('app.url'));
+            $root_url = $url_parts['scheme'].'://'.$url_parts['host'].( isset($url_parts['port']) ? ':'.$url_parts['port'] : '');
+            \URL::forceRootUrl($root_url);
+        }
+
         \Illuminate\Pagination\Paginator::useBootstrap();
 
         Schema::defaultStringLength(191);