Jump to content

production site: all admin view links showing to localhost...


Recommended Posts

I have the actual version of pw,

I had my pw installation at my localhost and copied 2 days ago everything to my production server,

everything ok... but today I noticed that all *view page* links in the admin are showing to my localhost...

Link to comment
Share on other sites

@gunter: see if httpHosts setting is in place in your /site/config.php and contains only "localhost", that's the most likely culprit.

Ryan: if you're reading this and if aforementioned really is the problem here, I'd say that this is an issue that should be dealt with.. personally I'm against this whole setting (I'm seeing more issues than benefits there), but at least it should stay out of way as far as possible -- opt-in instead of opt-out.

  • Like 4
Link to comment
Share on other sites

An HTTP hosts whitelist is important from a security aspect because http_host comes from the request rather than from the server... Meaning it can be forged. Maybe not a big deal since we always sanitize it, until you are dealing with cache, which the opens up the possibility of cache poisoning for any page that makes use of the http host. Imagine a hacker priming your cache with their own URL. Unfortunately, PHP's safe server_name variable is not reliable enough to reflect the potential diversity of http host names. So the only safe thing to do is to have a whitelist. If you aren't using the whitelist, I recommend adding it to your config.php.

It's actually a little unusual for the http host to be used in PW because usually you'd just use the url() methods, which just output paths and not hosts. There's really no reason to use httpUrl() in most cases. So if you are using it, double check that you need to - it's extra unnecessary bytes unless you need to switch hostnames or schema. But with the next version of ProCache supporting multi-hosts, having an http host whitelist is now absolutely necessary.

  • Like 1
Link to comment
Share on other sites

Isn't host header exactly what the server uses to decide which site, if any, to serve.. or could it be that this is specific to virtual host setups? Those have been the most efficient option for me so far, so I haven't really had to set anything else up, which could explain why I'm having trouble following you here. With that kind of setup your vhost files include all possible hosts for each site, in which case whole httpHosts whitelist seems unnecessary (and even confusing) repetition :)

Just gave this a try on my own site by providing dummy host header (testing via telnet) and that -- as expected -- resulted in Apache default page showing up. I'm not seeing how anyone could use that for their benefit. Then again, if this isn't always the case, there definitely could be potential for abuse.

Also: the problem, as explained by @gunter, is with ProcessPageEdit; it uses httpUrl for view links. That does seem a bit weird, so perhaps it's a leftover or something?

Link to comment
Share on other sites

Thanks for that! I stand corrected; I did not know that requesting an absolute URI would result in Host header being ignored. That's quite interesting -- or "frightening" even, as one commenter there pointed out about the whole thing.

Now the only thing I'm not getting here is that wouldn't it, in this case, make more sense to look for an absolute URI in REQUEST_URI and if found, use that instead of host header? I guess this wouldn't solve the problem for various dedicated hosting setups, though, so perhaps it's not really viable "global" solution.

I guess I'm mostly annoyed about having to keep an up-to-date list of hosts in multiple places instead of letting Apache take care of that. So much potential for unexpected misconfigurations :)

admin.view cans sswich frm http https

httpUrl necessarios

This is exactly what I don't understand -- why would I want to redirect user from HTTPS to HTTP when "view" is clicked? Not much of a problem usually, but I find it a bit strange :)

.. and back to the original topic:

Personally I still feel that this is a problem. When installed locally, PW offers "localhost" as the default httpHosts value. That's fine until you move the site to your web host and suddenly things won't work. I'm afraid that a lot of people won't really think twice about that setting or even remember it exists.

Of course it might be just me who's got such a crappy memory, but I wouldn't be surprised if topics like this started popping up quite often. Not sure if there's any bulletproof solution to this, though (other than making this an optional security setting, that is -- and making security "optional" always sounds awful).

Link to comment
Share on other sites

  • 1 month later...

So, is the solution to the original question to add domain names to the whitelist in config.php, like below?

* Installer: HTTP Hosts Whitelist
$config->httpHosts = array('localhost','example.com','www.example.com');
Link to comment
Share on other sites

@etling: that's right, include the domains you'll want to use this site with there and things should work just fine.

@bwakad: sorry, I'm not really sure what you're saying there, but whatever domains your site uses need to be included in httpHosts config setting. It's that simple.

Link to comment
Share on other sites

  • 3 months later...

I had ('localhost','www.domain.net') and it still said localhost in the view links and admin pages <title>, then I switched their order and now the links are going to www.domain.net/~username... How do I get rid of the ~username part?

Link to comment
Share on other sites

  • 1 year later...

Bumping this old thread to shine some light on an obscure fact about that whitelist for domain names. Here's my story:

Moved site from development server to real server. Some users (not all) reported View links sending them to the development server. Never happened to other users.

Clearing browser cache did not help. Dumping DB and searching text for the development server domain name did not turn up anything. The only place I could find the development server domain name was in the config file in the array defining $config->httpHosts.

Documentation calls $config->httpHosts a whitelist so I assumed I could put both the dev and real domain names in the list and maintain a single config file to use in both places.

It's not just a whitelist!!

The source code of ProcessWire.php explains that If you have not explicitly set $config->httpHost (note: no "s" on end) and the PHP vars for $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] don't match anything in $config->httpHosts (with "s") the getHttpHost function defaults to...

"no valid host found, default to first in whitelist"

The server's environment variables had the domain with www on it but the server accepts URLs with or without the www and people use either one. My dev site was the first one in the list.

  • Like 5
Link to comment
Share on other sites

@SteveB: thanks for sharing this.  Generally speaking I'd advice against a setup where the site can be accessed with both www and non-www domain – for reasons that include SEO considerations, caching, and consistency in general – but there are many situations where multiple httpHosts can (and should) be present and this kind of situation might occur, in which case it's good to keep this feature in mind :)

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...