Jump to content
gunter

production site: all admin view links showing to localhost...

Recommended Posts

I have the actual version of pw,

I had my pw installation at my localhost and copied 2 days ago everything to my production server,

everything ok... but today I noticed that all *view page* links in the admin are showing to my localhost...

Share this post


Link to post
Share on other sites

@gunter: see if httpHosts setting is in place in your /site/config.php and contains only "localhost", that's the most likely culprit.

Ryan: if you're reading this and if aforementioned really is the problem here, I'd say that this is an issue that should be dealt with.. personally I'm against this whole setting (I'm seeing more issues than benefits there), but at least it should stay out of way as far as possible -- opt-in instead of opt-out.

  • Like 3

Share this post


Link to post
Share on other sites

hm, thanks a lot!!! ​I changed it to array('')  ...and it works now! 


/**
* Installer: HTTP Hosts Whitelist
*
*/
$config->httpHosts = array('localhost');
 

Share this post


Link to post
Share on other sites

An HTTP hosts whitelist is important from a security aspect because http_host comes from the request rather than from the server... Meaning it can be forged. Maybe not a big deal since we always sanitize it, until you are dealing with cache, which the opens up the possibility of cache poisoning for any page that makes use of the http host. Imagine a hacker priming your cache with their own URL. Unfortunately, PHP's safe server_name variable is not reliable enough to reflect the potential diversity of http host names. So the only safe thing to do is to have a whitelist. If you aren't using the whitelist, I recommend adding it to your config.php.

It's actually a little unusual for the http host to be used in PW because usually you'd just use the url() methods, which just output paths and not hosts. There's really no reason to use httpUrl() in most cases. So if you are using it, double check that you need to - it's extra unnecessary bytes unless you need to switch hostnames or schema. But with the next version of ProCache supporting multi-hosts, having an http host whitelist is now absolutely necessary.

  • Like 1

Share this post


Link to post
Share on other sites

Isn't host header exactly what the server uses to decide which site, if any, to serve.. or could it be that this is specific to virtual host setups? Those have been the most efficient option for me so far, so I haven't really had to set anything else up, which could explain why I'm having trouble following you here. With that kind of setup your vhost files include all possible hosts for each site, in which case whole httpHosts whitelist seems unnecessary (and even confusing) repetition :)

Just gave this a try on my own site by providing dummy host header (testing via telnet) and that -- as expected -- resulted in Apache default page showing up. I'm not seeing how anyone could use that for their benefit. Then again, if this isn't always the case, there definitely could be potential for abuse.

Also: the problem, as explained by @gunter, is with ProcessPageEdit; it uses httpUrl for view links. That does seem a bit weird, so perhaps it's a leftover or something?

Share this post


Link to post
Share on other sites

Thanks for that! I stand corrected; I did not know that requesting an absolute URI would result in Host header being ignored. That's quite interesting -- or "frightening" even, as one commenter there pointed out about the whole thing.

Now the only thing I'm not getting here is that wouldn't it, in this case, make more sense to look for an absolute URI in REQUEST_URI and if found, use that instead of host header? I guess this wouldn't solve the problem for various dedicated hosting setups, though, so perhaps it's not really viable "global" solution.

I guess I'm mostly annoyed about having to keep an up-to-date list of hosts in multiple places instead of letting Apache take care of that. So much potential for unexpected misconfigurations :)

admin.view cans sswich frm http https

httpUrl necessarios

This is exactly what I don't understand -- why would I want to redirect user from HTTPS to HTTP when "view" is clicked? Not much of a problem usually, but I find it a bit strange :)

.. and back to the original topic:

Personally I still feel that this is a problem. When installed locally, PW offers "localhost" as the default httpHosts value. That's fine until you move the site to your web host and suddenly things won't work. I'm afraid that a lot of people won't really think twice about that setting or even remember it exists.

Of course it might be just me who's got such a crappy memory, but I wouldn't be surprised if topics like this started popping up quite often. Not sure if there's any bulletproof solution to this, though (other than making this an optional security setting, that is -- and making security "optional" always sounds awful).

Share this post


Link to post
Share on other sites

So, is the solution to the original question to add domain names to the whitelist in config.php, like below?

/**
* Installer: HTTP Hosts Whitelist
*
*/
$config->httpHosts = array('localhost','example.com','www.example.com');

Share this post


Link to post
Share on other sites

I have mine set up as virtual hosts, actually two, if this matches my domain name then i presume it will be of no issue?

Share this post


Link to post
Share on other sites

@etling: that's right, include the domains you'll want to use this site with there and things should work just fine.

@bwakad: sorry, I'm not really sure what you're saying there, but whatever domains your site uses need to be included in httpHosts config setting. It's that simple.

Share this post


Link to post
Share on other sites

I had ('localhost','www.domain.net') and it still said localhost in the view links and admin pages <title>, then I switched their order and now the links are going to www.domain.net/~username... How do I get rid of the ~username part?

Share this post


Link to post
Share on other sites

Sounds like you might need to add this to your .htaccess file. There are some commented examples already in that file.

RewriteBase /~username/

Share this post


Link to post
Share on other sites

Bumping this old thread to shine some light on an obscure fact about that whitelist for domain names. Here's my story:


Moved site from development server to real server. Some users (not all) reported View links sending them to the development server. Never happened to other users.

Clearing browser cache did not help. Dumping DB and searching text for the development server domain name did not turn up anything. The only place I could find the development server domain name was in the config file in the array defining $config->httpHosts.

Documentation calls $config->httpHosts a whitelist so I assumed I could put both the dev and real domain names in the list and maintain a single config file to use in both places.

It's not just a whitelist!!

The source code of ProcessWire.php explains that If you have not explicitly set $config->httpHost (note: no "s" on end) and the PHP vars for $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] don't match anything in $config->httpHosts (with "s") the getHttpHost function defaults to...

"no valid host found, default to first in whitelist"

The server's environment variables had the domain with www on it but the server accepts URLs with or without the www and people use either one. My dev site was the first one in the list.

  • Like 3

Share this post


Link to post
Share on other sites

@SteveB: thanks for sharing this.  Generally speaking I'd advice against a setup where the site can be accessed with both www and non-www domain – for reasons that include SEO considerations, caching, and consistency in general – but there are many situations where multiple httpHosts can (and should) be present and this kind of situation might occur, in which case it's good to keep this feature in mind :)

  • Like 2

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Guy Incognito
      I added some custom styles to the CKeditor menu bar using the example mystyles.js and the PW tutorial. This worked fine for fields when editing on the frontend. But none of our custom styles showed in the backend editor dropdown unless we edited the core copy of mystyles.js in wire/modules.
      Is this correct behaviour, a bug or a mistake on my part? Tried clearing cache, logging in/out etc but the backend ignores our custom styles in the site/modules path.
    • By karian
      I don't know why multiple instances (repeater_repeat_columns1, repeater_repeat_columns2, ...) of my repeater field are displayed inside Template field (see image).
      Is there a way to clean/reset it ?
       

    • By Noel Boss
      Short description of the issue
      Since PW 3.0.88: When I try to retrive a croped file using the api filesManager() and it's basename, I get the original version instead of the croped variation.
      Expected behaviour
      Looking up a variation using the path and filesManager should return the variation file.
       $page->filesManager->getFile("/path/to/filebasename.400x400.jpg"); // $file->basename > filebasename.400x400.jpg Actual behavior
      The variation is returned.
       $page->filesManager->getFile("/path/to/filebasename.400x400.jpg"); // $file->basename > filebasename.jpg  
      » Is this a bug or do I miss something here?
       
      Code:
      dump($page->filesManager->path.$input->get->filename('f')); $file = $page->filesManager->getFile($page->filesManager->path.$input->get->filename('f')); dump($file); dump($page->filesManager->path.$file->basename); Output:
      "/home/ubuntu/workspace/www/site/assets/files/-1579/colin-rex-434063.400x400.jpg" (79) ProcessWire\Pageimage #796f pageimages protected => ProcessWire\Pageimages #d195 original protected => ProcessWire\Pageimage #796f { RECURSION } variations private => null imageInfo private => array (2) width => 0 height => 0 error protected => "" pagefiles protected => ProcessWire\Pageimages #d195 data protected => array (6) basename => "colin-rex-434063.jpg" (20) description => "" tags => "" formatted => true modified => 1516025386 created => 1516025386 useFuel protected => true _instanceNum private => 870 localHooks protected => array () trackChanges private => 2 changes private => array (1) formatted => array (1) 0 => null _notices protected => array (3) errors => null warnings => null messages => null _wire protected => ProcessWire\ProcessWire #28d0 in .../www/site/templates/app/utils/download.php:29
      "/home/ubuntu/workspace/www/site/assets/files/-1579/colin-rex-434063.jpg" (71)
    • By Cloud8888
      Greetings from germany,

      i develop a shop for a customer and wanted to give them the opportunity to find products without any images so they could easily fill this empty sites.
      The problem is, that this images are placed inside a repeater.
      So the structure for the repeater field is:
      title
      bild (where 1 image can be placed)
      bildrecht (another repeater for placing the copyright  text)

      But here comes my problem.
      I designed a selector that should show me all sites where the repeater count is 0.
      Like :
      template=sorte|artikel,bilderrepeater.count=0
      But it also shows me results, where the repeater count is still 1 or even greater.
      If i save one of these bad results, the selector works fine.

      Is there a way around it ?
      I use pw 3.0.76.

       
    • By benbyf
      One of my clients found a bug when viewing the PW admin on chrome using windows - the admin tab nav doesn't appear, they could only see the tool icon either though they were a superadmin user. When viewed on Edge the tabs where present. The site is running on PW 3.0.62 with the default admin.
      I was screen sharing with my client when we found the bug, I don't actually have anyway to test this and see what's wrong myself as I dont run windows and dont currently have a cross broswer testing suite. Could someone please look into it briefly?
×
×
  • Create New...