‪TYPO3CMS  11.5
VerifyHostHeader.php
Go to the documentation of this file.
1 <?php
2 
3 declare(strict_types=1);
4 
5 /*
6  * This file is part of the TYPO3 CMS project.
7  *
8  * It is free software; you can redistribute it and/or modify it under
9  * the terms of the GNU General Public License, either version 2
10  * of the License, or any later version.
11  *
12  * For the full copyright and license information, please read the
13  * LICENSE.txt file that was distributed with this source code.
14  *
15  * The TYPO3 project - inspiring people to share!
16  */
17 
19 
20 use Psr\Http\Message\ResponseInterface;
21 use Psr\Http\Message\ServerRequestInterface;
22 use Psr\Http\Server\MiddlewareInterface;
23 use Psr\Http\Server\RequestHandlerInterface;
24 
30 class ‪VerifyHostHeader implements MiddlewareInterface
31 {
33  public const ‪ENV_TRUSTED_HOSTS_PATTERN_SERVER_NAME = 'SERVER_NAME';
34 
35  protected string ‪$trustedHostsPattern;
36 
37  public function ‪__construct(string ‪$trustedHostsPattern)
38  {
39  $this->trustedHostsPattern = ‪$trustedHostsPattern;
40  }
41 
42  public function ‪process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
43  {
44  $serverParams = $request->getServerParams();
45  $httpHost = $serverParams['HTTP_HOST'] ?? '';
46  if (!$this->‪isAllowedHostHeaderValue($httpHost, $serverParams)) {
47  throw new \UnexpectedValueException(
48  'The current host header value does not match the configured trusted hosts pattern!'
49  . ' Check the pattern defined in $GLOBALS[\'TYPO3_CONF_VARS\'][\'SYS\'][\'trustedHostsPattern\']'
50  . ' and adapt it, if you want to allow the current host header \'' . $httpHost . '\' for your installation.',
51  1396795884
52  );
53  }
54 
55  return $handler->handle($request);
56  }
57 
64  public function isAllowedHostHeaderValue(string $hostHeaderValue, array $serverParams): bool
65  {
66  // Deny the value if trusted host patterns is empty, which means configuration is invalid.
67  if ($this->trustedHostsPattern === '') {
68  return false;
69  }
70 
71  if ($this->trustedHostsPattern === self::ENV_TRUSTED_HOSTS_PATTERN_ALLOW_ALL) {
72  return true;
73  }
74 
75  return $this->hostHeaderValueMatchesTrustedHostsPattern($hostHeaderValue, $serverParams);
76  }
77 
81  protected function hostHeaderValueMatchesTrustedHostsPattern(string $hostHeaderValue, array $serverParams): bool
82  {
83  if ($this->trustedHostsPattern === self::ENV_TRUSTED_HOSTS_PATTERN_SERVER_NAME) {
84  $host = strtolower($hostHeaderValue);
85  // Default port to be verified if HTTP_HOST does not contain explicit port information.
86  // Deriving from raw/local webserver HTTPS information (not taking possible proxy configurations into account)
87  // as we compare against the raw/local server information (SERVER_PORT).
88  $port = self::webserverUsesHttps($serverParams) ? '443' : '80';
89 
90  $parsedHostValue = parse_url('http://' . $host);
91  ‪if (isset($parsedHostValue['port'])) {
92  $host = $parsedHostValue['host'];
93  $port = (string)$parsedHostValue['port'];
94  }
95 
96  // Allow values that equal the server name
97  // Note that this is only secure if name base virtual host are configured correctly in the webserver
98  $hostMatch = $host === strtolower($serverParams['SERVER_NAME']) && $port === $serverParams['SERVER_PORT'];
99  } else {
100  // In case name based virtual hosts are not possible, we allow setting a trusted host pattern
101  // See https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/ for further details
102  $hostMatch = (bool)preg_match('/^' . $this->trustedHostsPattern . '$/i', $hostHeaderValue);
103  }
104 
105  return $hostMatch;
106  }
107 
116  protected function ‪webserverUsesHttps(array $serverParams): bool
117  {
118  if (!empty($serverParams['SSL_SESSION_ID'])) {
119  return true;
120  }
121 
122  // https://secure.php.net/manual/en/reserved.variables.server.php
123  // "Set to a non-empty value if the script was queried through the HTTPS protocol."
124  return !empty($serverParams['HTTPS']) && strtolower($serverParams['HTTPS']) !== 'off';
125  }
126 }
‪TYPO3\CMS\Core\Middleware\VerifyHostHeader\process
‪process(ServerRequestInterface $request, RequestHandlerInterface $handler)
Definition: VerifyHostHeader.php:42
‪TYPO3\CMS\Core\Middleware\VerifyHostHeader\webserverUsesHttps
‪webserverUsesHttps(array $serverParams)
Definition: VerifyHostHeader.php:116
‪TYPO3\CMS\Core\Middleware\VerifyHostHeader\__construct
‪__construct(string $trustedHostsPattern)
Definition: VerifyHostHeader.php:37
‪TYPO3\CMS\Core\Middleware\VerifyHostHeader\ENV_TRUSTED_HOSTS_PATTERN_ALLOW_ALL
‪const ENV_TRUSTED_HOSTS_PATTERN_ALLOW_ALL
Definition: VerifyHostHeader.php:32
‪TYPO3\CMS\Core\Middleware\VerifyHostHeader\isAllowedHostHeaderValue
‪bool isAllowedHostHeaderValue(string $hostHeaderValue, array $serverParams)
Definition: VerifyHostHeader.php:64
‪TYPO3\CMS\Core\Middleware\VerifyHostHeader\ENV_TRUSTED_HOSTS_PATTERN_SERVER_NAME
‪const ENV_TRUSTED_HOSTS_PATTERN_SERVER_NAME
Definition: VerifyHostHeader.php:33
‪TYPO3\CMS\Core\Middleware
Definition: BackendUserAuthenticator.php:18
‪if
‪if(PHP_SAPI !=='cli')
Definition: checkNamespaceIntegrity.php:26
‪TYPO3\CMS\Core\Middleware\VerifyHostHeader
Definition: VerifyHostHeader.php:31
‪TYPO3\CMS\Core\Middleware\VerifyHostHeader\$trustedHostsPattern
‪string $trustedHostsPattern
Definition: VerifyHostHeader.php:35