DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2025-02-21 03:15:45 -08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #10528 from uberbrady/fix_insecure_host_headers_v6

Browse source 
Force UrlGenerator's Root URL to be the base of APP_URL unless overriden
This commit is contained in:
Brady Wetherington 2022-01-24 18:26:30 -08:00 committed by GitHub
parent eade041b6e 455bc736be
commit 48f1380f6e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.env.example
View file

@ -149,6 +149,7 @@ APP_LOG_MAX_FILES=10
APP_LOCKED=false APP_LOCKED=false
APP_CIPHER=AES-256-CBC APP_CIPHER=AES-256-CBC
APP_FORCE_TLS=false APP_FORCE_TLS=false
APP_ALLOW_INSECURE_HOSTS=false
GOOGLE_MAPS_API= GOOGLE_MAPS_API=
LDAP_MEM_LIM=500M LDAP_MEM_LIM=500M
LDAP_TIME_LIM=600 LDAP_TIME_LIM=600

7
app/Providers/AppServiceProvider.php
View file

@ -43,6 +43,13 @@ class AppServiceProvider extends ServiceProvider
} }
} }
// TODO - isn't it somehow 'gauche' to check the environment directly; shouldn't we be using config() somehow?
if ( ! env('APP_ALLOW_INSECURE_HOSTS')) { // unless you set APP_ALLOW_INSECURE_HOSTS, you should PROHIBIT forging domain parts of URL via Host: headers
$url_parts = parse_url(config('app.url'));
$root_url = $url_parts['scheme'].'://'.$url_parts['host'].( isset($url_parts['port']) ? ':'.$url_parts['port'] : '');
\URL::forceRootUrl($root_url);
}
\Illuminate\Pagination\Paginator::useBootstrap(); \Illuminate\Pagination\Paginator::useBootstrap();
Schema::defaultStringLength(191); Schema::defaultStringLength(191);