Jump to content

What does $config->httpHosts do?


DrQuincy
 Share

Recommended Posts

In site/config I always thought $config->httpHosts was a list of HTTP hosts that were allowed to run the site. E.g. if domain1.com, www.domain1.com, domain2.com and www.domain2.com were all pointing to the web root and you only had ['domain1.com', 'www.domain1.com'] in $config->httpHosts then it prevents domain2.com and www.domain2.com from being allowed on the site (so you'd redirect them site-wide via .htaccess instead).

But I have just been playing around with it and it doesn't seem to make a difference what the values of this array are.

What does $config->httpHosts do exactly?

Thanks.

Link to comment
Share on other sites

1 hour ago, DrQuincy said:

What does $config->httpHosts do exactly?

Nearly nothing. Displays a warning in the backend and "HTML Markup Quality Assurance" displays a message in debug mode when sleepLinks() detects an absolute URL in a textarea field that does not refer to an allowed host.


However, you can add functionality to check the current host.

$this->wire('config')->httpHost

https://processwire.com/api/ref/config/#pwapi-methods-HTTP-and-input
https://processwire.com/docs/start/variables/config/#httphosts

Link to comment
Share on other sites

2 hours ago, DrQuincy said:

(so you'd redirect them site-wide via .htaccess instead).

If you need redirecting to the final domain name, you may have a look to this snippet. But you have to add it manually somewhere in the top of your root .htaccess file.

################################################################################
# Domain-Namen erzwingen
#
<IfModule mod_rewrite.c>

    RewriteEngine On
    AddDefaultCharset UTF-8

    RewriteCond %{HTTP_HOST} ^example\.com                     [OR]
    RewriteCond %{HTTP_HOST} ^example-variation\.com           [OR]
    RewriteCond %{HTTP_HOST} ^www\.example-variation\.com
    RewriteRule ^(.*)$ https://www.example.com/$1              [L,R=301]

    RewriteCond %{HTTPS} !=on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}        [L,R=301]

</IfModule>
#
################################################################################

 

  • Like 3
Link to comment
Share on other sites

Probably worth mentioning that since this setting prevents ProcessWire from using unfamiliar hosts in output, it's actually pretty important:

  • Let's say that your server was configured to serve your site with any host that a visitor happens to provide. (I've seen this happen, but admittedly it's a major configuration fumble.)
  • Someone points some-weird-and-perhaps-malicious-domain.tld to your site, and then visits the site using said domain. This could be intentional, or even an accident (again this is something I've seen happen, as weird as it may sound.)
  • Finally some code — your own, or perhaps code from a third party module, or even some core feature — asks ProcessWire for the full hostname, and makes use of it in output.

Now, if the $config->httpHosts setting didn't exist, ProcessWire would have no way to know which domains are valid, and it would just have to trust that the domain specified by the user is indeed a valid one. Any output using this potentially malicious domain could then get cached, leading to various cache poisoning related issues: redirecting other visitors to this domain, or perhaps making the visitor or ProcessWire itself unknowingly send private data there, thus granting a third party access to it.

 

  • Like 7
Link to comment
Share on other sites

  • 6 months later...

Sorry to necro an old post, but I was searching for a pointer on a PW .htaccess config ( @horst's post above super useful btw thanks).

@teppo your reply got me thinking - wouldn't it therefore be useful/better if PW were to auto redirect any invalid host requests back to the first domain in the httpHosts array rather than successfully loading the page for the reasons you've outlined - or maybe it should throw an error?

I get that it picks it up in debug mode or when you're logged into dashboard, but maybe not ever showing someone a page using an unlisted host on the frontend would be safer?

On 7/31/2020 at 1:47 PM, teppo said:

Probably worth mentioning that since this setting prevents ProcessWire from using unfamiliar hosts in output, it's actually pretty important:

  • Let's say that your server was configured to serve your site with any host that a visitor happens to provide. (I've seen this happen, but admittedly it's a major configuration fumble.)
  • Someone points some-weird-and-perhaps-malicious-domain.tld to your site, and then visits the site using said domain. This could be intentional, or even an accident (again this is something I've seen happen, as weird as it may sound.)
  • Finally some code — your own, or perhaps code from a third party module, or even some core feature — asks ProcessWire for the full hostname, and makes use of it in output.

Now, if the $config->httpHosts setting didn't exist, ProcessWire would have no way to know which domains are valid, and it would just have to trust that the domain specified by the user is indeed a valid one. Any output using this potentially malicious domain could then get cached, leading to various cache poisoning related issues: redirecting other visitors to this domain, or perhaps making the visitor or ProcessWire itself unknowingly send private data there, thus granting a third party access to it.

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...