TYPO3 Core

In bug 0001670 it was demonstrated that config.baseURL = 1 was an insecure setting as it allows for an injection of an arbitrary <base> tag via the HTTP-HOST variable. However, this is only applicable in a scenario where a web server is configured to deliver any host addressed to the same typo installation (i.e., regardless of the client's Host: site.com in HTTP request, input will be directed to a typo3 site.

In my setup, I am running apache with the VirtualDocumentRoot setting in order to host multiple typo3 sites. As typo3 may only be visited at explicit vhosts (which are specified via the Host: header bit), this exploit will not work against sites running in this manner. Therefore, the ability to have a default template that performed a config.baseURL=1-like-function (perhaps config.baseURL=HTTP_HOST so it is more obvious) would be advantageous, and also not dangerous due to the host checking that would occur within the webserver itself. Obviously you have to way this against the possibility that someone is lazy and allows themselves to be exploited, but some sort of appropriate enabling piece of typoscript could hopefully remedy this.

(issue imported from #M6564)