Bug #85062
closed
TYPO3 8.7 [SYS][trustedHostsPattern] = SERVER_NAME
0%
Description
Hello,
we have following problem in error log:
PHP Fatal error: Uncaught
UnexpectedValueException: The current host header value does not match the configured
trusted hosts pattern! Check the pattern defined in
$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] and adapt it, if you want to
allow the current host header 'http://www.mydomain.si./' for your installation. in
/var/www/html/typo3_source/typo3_src-8.7.12/typo3/sysext/core/Classes/Utility/GeneralUtility.php:29
So every time someone (bot...) wants to access following link http://www.mydomain.si*.*/ we get this php error.
The easy solution is to set 'trustedHostsPattern' => '.*' My question: why is 'trustedHostsPattern' => '.*' in TYPO3 defined as "not recommended because it is insecure"? Is that really so? And why?
Updated by Michael Stucki over 6 years ago
- Tracker changed from Support to Bug
- Project changed from 9 to TYPO3 Core
- Category deleted (
Support) - TYPO3 Version set to 8
Wrong project.
Updated by Wouter Wolters over 6 years ago
- Status changed from New to Rejected
Hi, this is more a support question but here is some information. For further help please try to get some help on Slack, Stackoverflow or our Forum.
The explanation about Trusted Host Pattern can be found in te Security Documentation of TYPO3.
TYPO3 uses the HTTP header "Host:" to generate absolute URLs in several places such as 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client, it can be forged to any value, even in a name based virtual hosts environment.
The "trustedHostsPattern" configuration option can contain either the value SERVER_NAME or a regular expression pattern that matches all host names that are considered trustworthy for the particular TYPO3 installation. "SERVER_NAME" is the default value and with this option value in effect, TYPO3 checks the currently submitted host-header against the SERVER_NAME variable. Please see security bulletin TYPO3-CORE-SA-2014-001 (https://typo3.org/security/advisory/typo3-core-sa-2014-001/) for further details about specific setups.
If the "Host:" header also contains a non-standard port, the configuration must include this value, too. This is especially important for the default value "SERVER_NAME" as provided ports are checked against SERVER_PORT which fails in some more complex load balancing or SSL termination scenarios.
The PHP variable reads: $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']
Updated by Danilo Godec over 6 years ago
- Priority changed from Could have to Should have
Wouter Wolters wrote:
The "trustedHostsPattern" configuration option can contain either the value SERVER_NAME or a regular expression pattern that matches all host names that are considered trustworthy for the particular TYPO3 installation. "SERVER_NAME" is the default value and with this option value in effect, TYPO3 checks the currently submitted host-header against the SERVER_NAME variable. Please see security bulletin TYPO3-CORE-SA-2014-001 (https://typo3.org/security/advisory/typo3-core-sa-2014-001/) for further details about specific setups.
Apparently the trailing dot is a valid part of fully-qualified DNS domain name (http://www.dns-sd.org/trailingdotsindomainnames.html), so wouldn't it make sense for Typo3 / "SERVER_NAME" to consider these valid as well?
http://www.example.com/ and http://www.example.com./ should both work even if it's Typo3...
Updated by Rene Tobias over 6 years ago
Danilo Godec wrote:
Wouter Wolters wrote:
The "trustedHostsPattern" configuration option can contain either the value SERVER_NAME or a regular expression pattern that matches all host names that are considered trustworthy for the particular TYPO3 installation. "SERVER_NAME" is the default value and with this option value in effect, TYPO3 checks the currently submitted host-header against the SERVER_NAME variable. Please see security bulletin TYPO3-CORE-SA-2014-001 (https://typo3.org/security/advisory/typo3-core-sa-2014-001/) for further details about specific setups.
Apparently the trailing dot is a valid part of fully-qualified DNS domain name (http://www.dns-sd.org/trailingdotsindomainnames.html), so wouldn't it make sense for Typo3 / "SERVER_NAME" to consider these valid as well?
http://www.example.com/ and http://www.example.com./ should both work even if it's Typo3...
I agree with you @Danilo Godec.
Updated by Christian Kuhn over 6 years ago
Thanks for your thoughts.
I think the 'ends with dot is identical to does-not-end-with-dot' scenario is a pretty theoretical scenario without much practical use. The fact that this is allowed per-RFC is probably very widely unknown. I'd go so far to assume the 'bot' you're mentioning above could be some malicious test script that checks systems for possible sec issues in this area, at least I wouldn't be baffled if it turns out to be like that.
I guess for your customers it has zero benefit if we add the dot at the end to match, too. Thus, I'd rate this issue very low without any priority, that's more a nerdy detail to me.
Maybe you have a similar view on this. Feel free to propose a change in this area if this has practical use for you, though.
Updated by Danilo Godec over 6 years ago
Christian Kuhn wrote:
Thanks for your thoughts.
I think the 'ends with dot is identical to does-not-end-with-dot' scenario is a pretty theoretical scenario without much practical use.
After upgrading from Typo3 6 to Typo3 8 we started noticing PHP errors regarding 'trustedHostsPattern' and upon investigation we discovered that some people link to our site with the trailing dot. I don't know if these errors were present before and unfortunately, I can't check anymore.
Our first reaction was "let's just ignore this, it's their mistake", but apparently it should work.
Updated by Danilo Godec over 6 years ago
Just in case anyone's interested - we implemented a workaround with Apache mod_rewrite:
RewriteCond ^(.+?)\.$
RewriteRule ^ %{REQUEST_SCHEME}://%1{REQUEST_URI} [L,R=302,NE]