Skip to content
Snippets Groups Projects
Commit 98377d57 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #2221699 by mpdonadio, mikey_p, alexpott, kim.pepper, arlinsandbulte:... 

Issue #2221699 by mpdonadio, mikey_p, alexpott, kim.pepper, arlinsandbulte: HTTP_HOST header cannot be trusted
parent 1e98b164
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 277 additions and 12 deletions
core/lib/Drupal/Core/DrupalKernel.php
+ 54
0
View file @ 98377d57
...@@ -201,6 +201,9 @@ class DrupalKernel implements DrupalKernelInterface, TerminableInterface { ...@@ -201,6 +201,9 @@ class DrupalKernel implements DrupalKernelInterface, TerminableInterface {
* from disk. Defaults to TRUE. * from disk. Defaults to TRUE.
* *
* @return static * @return static
*
* @throws \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
* In case the host name in the request is not trusted.
*/ */
public static function createFromRequest(Request $request, $class_loader, $environment, $allow_dumping = TRUE) { public static function createFromRequest(Request $request, $class_loader, $environment, $allow_dumping = TRUE) {
// Include our bootstrap file. // Include our bootstrap file.
...@@ -217,6 +220,15 @@ public static function createFromRequest(Request $request, $class_loader, $envir ...@@ -217,6 +220,15 @@ public static function createFromRequest(Request $request, $class_loader, $envir
$kernel->setSitePath($site_path); $kernel->setSitePath($site_path);
Settings::initialize(dirname($core_root), $site_path, $class_loader); Settings::initialize(dirname($core_root), $site_path, $class_loader);
// Initialize our list of trusted HTTP Host headers to protect against
// header attacks.
$hostPatterns = Settings::get('trusted_host_patterns', array());
if (PHP_SAPI !== 'cli' && !empty($hostPatterns)) {
if (static::setupTrustedHosts($request, $hostPatterns) === FALSE) {
throw new BadRequestHttpException('The provided host name is not valid for this server.');
}
}
// Redirect the user to the installation script if Drupal has not been // Redirect the user to the installation script if Drupal has not been
// installed yet (i.e., if no $databases array has been defined in the // installed yet (i.e., if no $databases array has been defined in the
// settings.php file) and we are not already installing. // settings.php file) and we are not already installing.
...@@ -1266,4 +1278,46 @@ public static function validateHostname(Request $request) { ...@@ -1266,4 +1278,46 @@ public static function validateHostname(Request $request) {
return TRUE; return TRUE;
} }
/**
* Sets up the lists of trusted HTTP Host headers.
*
* Since the HTTP Host header can be set by the user making the request, it
* is possible to create an attack vectors against a site by overriding this.
* Symfony provides a mechanism for creating a list of trusted Host values.
*
* Host patterns (as regular expressions) can be configured throught
* settings.php for multisite installations, sites using ServerAlias without
* canonical redirection, or configurations where the site responds to default
* requests. For example,
*
* @code
* $settings['trusted_host_patterns'] = array(
* '^example\.com$',
* '^*.example\.com$',
* );
* @endcode
*
* @param \Symfony\Component\HttpFoundation\Request $request
* The request object.
* @param array $hostPatterns
* The array of trusted host patterns.
*
* @return boolean
* TRUE if the Host header is trusted, FALSE otherwise.
*
* @see https://www.drupal.org/node/1992030
*/
protected static function setupTrustedHosts(Request $request, $hostPatterns) {
$request->setTrustedHosts($hostPatterns);
// Get the host, which will validate the current request.
try {
$request->getHost();
}
catch (\UnexpectedValueException $e) {
return FALSE;
}
return TRUE;
}
} }
core/modules/system/src/PathBasedBreadcrumbBuilder.php
+ 6
7
View file @ 98377d57
...@@ -7,6 +7,7 @@ ...@@ -7,6 +7,7 @@
namespace Drupal\system; namespace Drupal\system;
use Drupal\Component\Utility\Unicode;
use Drupal\Core\Access\AccessManagerInterface; use Drupal\Core\Access\AccessManagerInterface;
use Drupal\Core\Breadcrumb\BreadcrumbBuilderInterface; use Drupal\Core\Breadcrumb\BreadcrumbBuilderInterface;
use Drupal\Core\Config\ConfigFactoryInterface; use Drupal\Core\Config\ConfigFactoryInterface;
...@@ -14,19 +15,17 @@ ...@@ -14,19 +15,17 @@
use Drupal\Core\Link; use Drupal\Core\Link;
use Drupal\Core\ParamConverter\ParamNotConvertedException; use Drupal\Core\ParamConverter\ParamNotConvertedException;
use Drupal\Core\PathProcessor\InboundPathProcessorInterface; use Drupal\Core\PathProcessor\InboundPathProcessorInterface;
use Drupal\Core\Routing\RequestContext;
use Drupal\Core\Routing\RouteMatch; use Drupal\Core\Routing\RouteMatch;
use Drupal\Core\Routing\RouteMatchInterface; use Drupal\Core\Routing\RouteMatchInterface;
use Drupal\Core\Session\AccountInterface; use Drupal\Core\Session\AccountInterface;
use Drupal\Core\StringTranslation\StringTranslationTrait; use Drupal\Core\StringTranslation\StringTranslationTrait;
use Drupal\Component\Utility\Unicode;
use Drupal\Core\Url; use Drupal\Core\Url;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
use Symfony\Cmf\Component\Routing\RouteObjectInterface;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\Routing\Matcher\RequestMatcherInterface;
use Symfony\Component\Routing\RequestContext;
use Symfony\Component\Routing\Exception\MethodNotAllowedException; use Symfony\Component\Routing\Exception\MethodNotAllowedException;
use Symfony\Component\Routing\Exception\ResourceNotFoundException; use Symfony\Component\Routing\Exception\ResourceNotFoundException;
use Symfony\Component\Routing\Matcher\RequestMatcherInterface;
/** /**
* Class to define the menu_link breadcrumb builder. * Class to define the menu_link breadcrumb builder.
...@@ -37,7 +36,7 @@ class PathBasedBreadcrumbBuilder implements BreadcrumbBuilderInterface { ...@@ -37,7 +36,7 @@ class PathBasedBreadcrumbBuilder implements BreadcrumbBuilderInterface {
/** /**
* The router request context. * The router request context.
* *
* @var \Symfony\Component\Routing\RequestContext * @var \Drupal\Core\Routing\RequestContext
*/ */
protected $context; protected $context;
...@@ -86,7 +85,7 @@ class PathBasedBreadcrumbBuilder implements BreadcrumbBuilderInterface { ...@@ -86,7 +85,7 @@ class PathBasedBreadcrumbBuilder implements BreadcrumbBuilderInterface {
/** /**
* Constructs the PathBasedBreadcrumbBuilder. * Constructs the PathBasedBreadcrumbBuilder.
* *
* @param \Symfony\Component\Routing\RequestContext $context * @param \Drupal\Core\Routing\RequestContext $context
* The router request context. * The router request context.
* @param \Drupal\Core\Access\AccessManagerInterface $access_manager * @param \Drupal\Core\Access\AccessManagerInterface $access_manager
* The menu link access service. * The menu link access service.
...@@ -182,7 +181,7 @@ protected function getRequestForPath($path, array $exclude) { ...@@ -182,7 +181,7 @@ protected function getRequestForPath($path, array $exclude) {
} }
// @todo Use the RequestHelper once https://drupal.org/node/2090293 is // @todo Use the RequestHelper once https://drupal.org/node/2090293 is
// fixed. // fixed.
$request = Request::create($this->context->getBaseUrl() . '/' . $path); $request = Request::create($this->context->getCompleteBaseUrl() . '/' . $path);
// Performance optimization: set a short accept header to reduce overhead in // Performance optimization: set a short accept header to reduce overhead in
// AcceptHeaderMatcher when matching the request. // AcceptHeaderMatcher when matching the request.
$request->headers->set('Accept', 'text/html'); $request->headers->set('Accept', 'text/html');
......
core/modules/system/src/Tests/System/TrustedHostsTest.php 0 → 100644
+ 62
0
View file @ 98377d57
<?php
/**
* @file
* Contains \Drupal\system\Tests\System\TrustedHostsTest.
*/
namespace Drupal\system\Tests\System;
use Drupal\Core\Site\Settings;
use Drupal\simpletest\WebTestBase;
/**
* Tests output on the status overview page.
*
* @group system
*/
class TrustedHostsTest extends WebTestBase {
/**
* {@inheritdoc}
*/
protected function setUp() {
parent::setUp();
$admin_user = $this->drupalCreateUser(array(
'administer site configuration',
));
$this->drupalLogin($admin_user);
}
/**
* Tests that the status page shows an error when the trusted host setting
* is missing from settings.php
*/
public function testStatusPageWithoutConfiguration() {
$this->drupalGet('admin/reports/status');
$this->assertResponse(200, 'The status page is reachable.');
$this->assertRaw(t('Trusted Host Settings'));
$this->assertRaw(t('The trusted_host_patterns setting is not configured in settings.php.'));
}
/**
* Tests that the status page shows the trusted patterns from settings.php.
*/
public function testStatusPageWithConfiguration() {
$settings['settings']['trusted_host_patterns'] = (object) array(
'value' => array('^' . preg_quote(\Drupal::request()->getHost()) . '$'),
'required' => TRUE,
);
$this->writeSettings($settings);
$this->drupalGet('admin/reports/status');
$this->assertResponse(200, 'The status page is reachable.');
$this->assertRaw(t('Trusted Host Settings'));
$this->assertRaw(t('The trusted_host_patterns setting is set to allow'));
}
}
core/modules/system/system.install
+ 22
0
View file @ 98377d57
...@@ -611,6 +611,28 @@ function system_requirements($phase) { ...@@ -611,6 +611,28 @@ function system_requirements($phase) {
); );
} }
} }
// See if trusted hostnames have been configured, and warn the user if they
// are not set.
if ($phase == 'runtime') {
$trusted_host_patterns = Settings::get('trusted_host_patterns');
if (empty($trusted_host_patterns)) {
$requirements['trusted_host_patterns'] = array(
'title' => t('Trusted Host Settings'),
'value' => t('Not enabled'),
'description' => t('The trusted_host_patterns setting is not configured in settings.php. This can lead to security vulnerabilities. It is <strong>highly recommended</strong> that you configure this. See <a href="@url">Protecting against HTTP HOST Header attacks</a> for more information.', array('@url' => 'https://www.drupal.org/node/1992030')),
'severity' => REQUIREMENT_ERROR,
);
}
else {
$requirements['trusted_host_patterns'] = array(
'title' => t('Trusted Host Settings'),
'value' => t('Enabled'),
'description' => t('The trusted_host_patterns setting is set to allow %trusted_host_patterns', array('%trusted_host_patterns' => join(', ', $trusted_host_patterns))),
);
}
}
return $requirements; return $requirements;
} }
......
core/modules/system/tests/src/Unit/Breadcrumbs/PathBasedBreadcrumbBuilderTest.php
+ 2
2
View file @ 98377d57
...@@ -58,7 +58,7 @@ class PathBasedBreadcrumbBuilderTest extends UnitTestCase { ...@@ -58,7 +58,7 @@ class PathBasedBreadcrumbBuilderTest extends UnitTestCase {
/** /**
* The mocked route request context. * The mocked route request context.
* *
* @var \Symfony\Component\Routing\RequestContext|\PHPUnit_Framework_MockObject_MockObject * @var \Drupal\Core\Routing\RequestContext|\PHPUnit_Framework_MockObject_MockObject
*/ */
protected $context; protected $context;
...@@ -89,7 +89,7 @@ protected function setUp() { ...@@ -89,7 +89,7 @@ protected function setUp() {
$config_factory = $this->getConfigFactoryStub(array('system.site' => array('front' => 'test_frontpage'))); $config_factory = $this->getConfigFactoryStub(array('system.site' => array('front' => 'test_frontpage')));
$this->pathProcessor = $this->getMock('\Drupal\Core\PathProcessor\InboundPathProcessorInterface'); $this->pathProcessor = $this->getMock('\Drupal\Core\PathProcessor\InboundPathProcessorInterface');
$this->context = $this->getMock('\Symfony\Component\Routing\RequestContext'); $this->context = $this->getMock('\Drupal\Core\Routing\RequestContext');
$this->accessManager = $this->getMock('\Drupal\Core\Access\AccessManagerInterface'); $this->accessManager = $this->getMock('\Drupal\Core\Access\AccessManagerInterface');
$this->titleResolver = $this->getMock('\Drupal\Core\Controller\TitleResolverInterface'); $this->titleResolver = $this->getMock('\Drupal\Core\Controller\TitleResolverInterface');
......
core/modules/views_ui/src/ViewUI.php
+ 3
2
View file @ 98377d57
...@@ -611,8 +611,9 @@ public function renderPreview($display_id, $args = array()) { ...@@ -611,8 +611,9 @@ public function renderPreview($display_id, $args = array()) {
// Make view links come back to preview. // Make view links come back to preview.
// Also override the current path so we get the pager. // Also override the current path so we get the pager, and make sure the
$request = new Request(); // Request object gets all of the proper values from $_SERVER.
$request = Request::createFromGlobals();
$request->attributes->set(RouteObjectInterface::ROUTE_NAME, 'entity.view.preview_form'); $request->attributes->set(RouteObjectInterface::ROUTE_NAME, 'entity.view.preview_form');
$request->attributes->set(RouteObjectInterface::ROUTE_OBJECT, \Drupal::service('router.route_provider')->getRouteByName('entity.view.preview_form')); $request->attributes->set(RouteObjectInterface::ROUTE_OBJECT, \Drupal::service('router.route_provider')->getRouteByName('entity.view.preview_form'));
$request->attributes->set('view', $this->storage); $request->attributes->set('view', $this->storage);
......
core/tests/Drupal/Tests/Core/DrupalKernel/DrupalKernelTrustedHostsTest.php 0 → 100644
+ 78
0
View file @ 98377d57
<?php
/**
* @file
* Contains \Drupal\Tests\Core\DrupalKernel\DrupalKernelTrustedHostsTest.
*/
namespace Drupal\Tests\Core\DrupalKernel;
use Drupal\Core\DrupalKernel;
use Drupal\Tests\UnitTestCase;
use Symfony\Component\HttpFoundation\Request;
/**
* @coversDefaultClass \Drupal\Core\DrupalKernel
* @group DrupalKernel
*/
class DrupalKernelTrustedHostsTest extends UnitTestCase {
/**
* Tests hostname validation with settings.
*
* @covers ::setupTrustedHosts()
*
* @dataProvider providerTestTrustedHosts
*/
public function testTrustedHosts($host, $server_name, $message, $expected = FALSE) {
$request = new Request();
$trusted_host_patterns = [
'^example\.com$',
'^.+\.example\.com$',
'^example\.org',
'^.+\.example\.org',
];
if (!empty($host)) {
$request->headers->set('HOST', $host);
}
$request->server->set('SERVER_NAME', $server_name);
$method = new \ReflectionMethod('Drupal\Core\DrupalKernel', 'setupTrustedHosts');
$method->setAccessible(TRUE);
$valid_host = $method->invoke(null, $request, $trusted_host_patterns);
$this->assertSame($expected, $valid_host, $message);
// Reset the trusted hosts because it is statically stored on the request.
$method->invoke(null, $request, []);
}
/**
* Provides test data for testTrustedHosts().
*/
public function providerTestTrustedHosts() {
$data = [];
// Tests canonical URL.
$data[] = ['www.example.com', 'www.example.com', 'canonical URL is trusted', TRUE];
// Tests missing hostname for HTTP/1.0 compatability where the Host
// header is optional.
$data[] = [NULL, 'www.example.com', 'empty Host is valid', TRUE];
// Tests the additional paterns from the settings.
$data[] = ['example.com', 'www.example.com', 'host from settings is trusted', TRUE];
$data[] = ['subdomain.example.com', 'www.example.com', 'host from settings is trusted', TRUE];
$data[] = ['www.example.org', 'www.example.com', 'host from settings is trusted', TRUE];
$data[] = ['example.org', 'www.example.com', 'host from settings is trusted', TRUE];
// Tests mismatch.
$data[] = ['www.blackhat.com', 'www.example.com', 'unspecified host is untrusted', FALSE];
return $data;
}
}
index.php
+ 1
1
View file @ 98377d57
...@@ -27,7 +27,7 @@ ...@@ -27,7 +27,7 @@
$kernel->terminate($request, $response); $kernel->terminate($request, $response);
} }
catch (HttpExceptionInterface $e) { catch (HttpExceptionInterface $e) {
$response = new Response('', $e->getStatusCode()); $response = new Response($e->getMessage(), $e->getStatusCode());
$response->prepare($request)->send(); $response->prepare($request)->send();
} }
catch (Exception $e) { catch (Exception $e) {
......
sites/default/default.settings.php
+ 37
0
View file @ 98377d57
...@@ -607,3 +607,40 @@ ...@@ -607,3 +607,40 @@
# if (file_exists(__DIR__ . '/settings.local.php')) { # if (file_exists(__DIR__ . '/settings.local.php')) {
# include __DIR__ . '/settings.local.php'; # include __DIR__ . '/settings.local.php';
# } # }
/**
* Trusted host configuration.
*
* Drupal core can use the Symfony trusted host mechanism to prevent HTTP Host
* header spoofing.
*
* To enable the trusted host mechanism, you enable your allowable hosts
* in $settings['trusted_host_patterns']. This should be an array of regular
* expression patterns, without delimiters, representing the hosts you would
* like to allow.
*
* For example:
* @code
* $settings['trusted_host_patterns'] = array(
* '^www\.example\.com$',
* );
* @endcode
* will allow the site to only run from www.example.com.
*
* If you are running multisite, or if you are running your site from
* different domain names (eg, you don't redirect http://www.example.com to
* http://example.com), you should specify all of the host patterns that are
* allowed by your site.
*
* For example:
* @code
* $settings['trusted_host_patterns'] = array(
* '^example\.com$',
* '^.+\.example\.com$',
* '^example\.org',
* '^.+\.example\.org',
* );
* @endcode
* will allow the site to run off of all variants of example.com and
* example.org, with all subdomains included.
*/
sites/example.settings.local.php
+ 12
0
View file @ 98377d57
...@@ -55,3 +55,15 @@ ...@@ -55,3 +55,15 @@
* using these parameters in a request to rebuild.php. * using these parameters in a request to rebuild.php.
*/ */
$settings['rebuild_access'] = TRUE; $settings['rebuild_access'] = TRUE;
/**
* Trust localhost.
*
* This will configure several common hostnames used for local development to
* be trusted hosts.
*/
$settings['trusted_host_patterns'] = array(
'^localhost$',
'^localhost\.*',
'\.local$',
);
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment