Bug #85062: TYPO3 8.7 [SYS][trustedHostsPattern] = SERVER_NAME - TYPO3 Core - TYPO3 Forge

Custom queries

Accessibility
Easy tasks
Forge Triage
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
My open issues
No feedback within 90 days
Open Bugs
Open issues of 10
Recently modified
Regressions
Stabilization Issues
Usability or UX

Actions

Copy link

Bug #85062

closed

TYPO3 8.7 [SYS][trustedHostsPattern] = SERVER_NAME

Added by Rene Tobias over 6 years ago. Updated over 6 years ago.

Status:

Rejected

Priority:

Should have

Assignee:

Category:

Target version:

Start date:

2018-05-22

Due date:

% Done:

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

Hello,

we have following problem in error log:

PHP Fatal error: Uncaught
UnexpectedValueException: The current host header value does not match the configured
trusted hosts pattern! Check the pattern defined in
$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] and adapt it, if you want to
allow the current host header 'http://www.mydomain.si./' for your installation. in
/var/www/html/typo3_source/typo3_src-8.7.12/typo3/sysext/core/Classes/Utility/GeneralUtility.php:29

So every time someone (bot...) wants to access following link http://www.mydomain.si*.*/ we get this php error.

The easy solution is to set 'trustedHostsPattern' => '.*' My question: why is 'trustedHostsPattern' => '.*' in TYPO3 defined as "not recommended because it is insecure"? Is that really so? And why?

History
Notes
Property changes

Actions

Copy link

Updated by Rene Tobias over 6 years ago

Description updated (diff)

Actions

Copy link

Updated by Michael Stucki over 6 years ago

Tracker changed from Support to Bug
Project changed from 9 to TYPO3 Core
Category deleted (~~Support~~)
TYPO3 Version set to 8

Wrong project.

Actions

Copy link

Updated by Wouter Wolters over 6 years ago

Status changed from New to Rejected

Hi, this is more a support question but here is some information. For further help please try to get some help on Slack, Stackoverflow or our Forum.

The explanation about Trusted Host Pattern can be found in te Security Documentation of TYPO3.

TYPO3 uses the HTTP header "Host:" to generate absolute URLs in several places such as 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client, it can be forged to any value, even in a name based virtual hosts environment.

The "trustedHostsPattern" configuration option can contain either the value SERVER_NAME or a regular expression pattern that matches all host names that are considered trustworthy for the particular TYPO3 installation. "SERVER_NAME" is the default value and with this option value in effect, TYPO3 checks the currently submitted host-header against the SERVER_NAME variable. Please see security bulletin TYPO3-CORE-SA-2014-001 (https://typo3.org/security/advisory/typo3-core-sa-2014-001/) for further details about specific setups.

If the "Host:" header also contains a non-standard port, the configuration must include this value, too. This is especially important for the default value "SERVER_NAME" as provided ports are checked against SERVER_PORT which fails in some more complex load balancing or SSL termination scenarios.

The PHP variable reads: $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']

Actions

Copy link

Updated by Danilo Godec over 6 years ago

Priority changed from Could have to Should have

Wouter Wolters wrote:

The "trustedHostsPattern" configuration option can contain either the value SERVER_NAME or a regular expression pattern that matches all host names that are considered trustworthy for the particular TYPO3 installation. "SERVER_NAME" is the default value and with this option value in effect, TYPO3 checks the currently submitted host-header against the SERVER_NAME variable. Please see security bulletin TYPO3-CORE-SA-2014-001 (https://typo3.org/security/advisory/typo3-core-sa-2014-001/) for further details about specific setups.

Apparently the trailing dot is a valid part of fully-qualified DNS domain name (http://www.dns-sd.org/trailingdotsindomainnames.html), so wouldn't it make sense for Typo3 / "SERVER_NAME" to consider these valid as well?

http://www.example.com/ and http://www.example.com./ should both work even if it's Typo3...

Actions

Copy link

Updated by Rene Tobias over 6 years ago

Danilo Godec wrote:

Wouter Wolters wrote:

The "trustedHostsPattern" configuration option can contain either the value SERVER_NAME or a regular expression pattern that matches all host names that are considered trustworthy for the particular TYPO3 installation. "SERVER_NAME" is the default value and with this option value in effect, TYPO3 checks the currently submitted host-header against the SERVER_NAME variable. Please see security bulletin TYPO3-CORE-SA-2014-001 (https://typo3.org/security/advisory/typo3-core-sa-2014-001/) for further details about specific setups.

Apparently the trailing dot is a valid part of fully-qualified DNS domain name (http://www.dns-sd.org/trailingdotsindomainnames.html), so wouldn't it make sense for Typo3 / "SERVER_NAME" to consider these valid as well?

http://www.example.com/ and http://www.example.com./ should both work even if it's Typo3...

I agree with you @Danilo Godec.

Actions

Copy link

Updated by Christian Kuhn over 6 years ago

Thanks for your thoughts.

I think the 'ends with dot is identical to does-not-end-with-dot' scenario is a pretty theoretical scenario without much practical use. The fact that this is allowed per-RFC is probably very widely unknown. I'd go so far to assume the 'bot' you're mentioning above could be some malicious test script that checks systems for possible sec issues in this area, at least I wouldn't be baffled if it turns out to be like that.

I guess for your customers it has zero benefit if we add the dot at the end to match, too. Thus, I'd rate this issue very low without any priority, that's more a nerdy detail to me.

Maybe you have a similar view on this. Feel free to propose a change in this area if this has practical use for you, though.

Actions

Copy link

Updated by Danilo Godec over 6 years ago

Christian Kuhn wrote:

Thanks for your thoughts.

I think the 'ends with dot is identical to does-not-end-with-dot' scenario is a pretty theoretical scenario without much practical use.

After upgrading from Typo3 6 to Typo3 8 we started noticing PHP errors regarding 'trustedHostsPattern' and upon investigation we discovered that some people link to our site with the trailing dot. I don't know if these errors were present before and unfortunately, I can't check anymore.

Our first reaction was "let's just ignore this, it's their mistake", but apparently it should work.

Actions

Copy link

Updated by Danilo Godec over 6 years ago

Just in case anyone's interested - we implemented a workaround with Apache mod_rewrite:

RewriteCond ^(.+?)\.$
RewriteRule ^ %{REQUEST_SCHEME}://%1{REQUEST_URI} [L,R=302,NE]

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Bug #85062

TYPO3 8.7 [SYS][trustedHostsPattern] = SERVER_NAME

Updated by Rene Tobias over 6 years ago

Updated by Michael Stucki over 6 years ago

Updated by Wouter Wolters over 6 years ago

Updated by Danilo Godec over 6 years ago

Updated by Rene Tobias over 6 years ago

Updated by Christian Kuhn over 6 years ago

Updated by Danilo Godec over 6 years ago

Updated by Danilo Godec over 6 years ago