Skip to content

Helpers: take host name from SERVER_NAME instead of HTTP_HOST #309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
adaamz wants to merge 10 commits into from
Closed

Helpers: take host name from SERVER_NAME instead of HTTP_HOST #309

adaamz wants to merge 10 commits into from

Conversation

@adaamz
Copy link

@adaamz adaamz commented Jul 9, 2018

bug fix
BC break? yes

Hi,
it is better to identify server host name by secure directive SERVER_NAME, because HTTP_HOST is not secure and can be changed by user.
https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html

@dg dg force-pushed the master branch 3 times, most recently from c5c5bab to 0d0dbd8 Compare August 13, 2018 17:05
@dg dg force-pushed the master branch 3 times, most recently from 17ddd81 to 9cb1b0f Compare September 30, 2018 18:46
@dg dg force-pushed the master branch 2 times, most recently from 6fd4a05 to 3f0d0cb Compare October 29, 2018 16:33
@dg dg force-pushed the master branch 4 times, most recently from 746b339 to a2663ed Compare November 5, 2018 15:12
@dg dg force-pushed the master branch 5 times, most recently from bb44626 to 526708d Compare February 10, 2019 23:05
@dg dg force-pushed the master branch 3 times, most recently from 9b6ddf1 to 44b485d Compare July 2, 2019 12:39
@dg dg force-pushed the master branch 4 times, most recently from c4fc317 to 20c031f Compare July 16, 2019 14:31
@dg dg force-pushed the master branch 2 times, most recently from dbabb37 to eb2e772 Compare September 24, 2019 11:11
@dg dg force-pushed the master branch 6 times, most recently from de3ad52 to 191c0d2 Compare December 15, 2019 22:49
@dg dg force-pushed the master branch 2 times, most recently from 2b958bb to f36b649 Compare January 2, 2020 19:40
@dg dg force-pushed the master branch 2 times, most recently from 68b0ec8 to 344c772 Compare February 23, 2020 18:40
@dg
Copy link
Member

dg commented Apr 8, 2020

Why do you think SERVER_NAME can't be spoofed in the same way?

@adaamz
Copy link
Author

adaamz commented Apr 8, 2020

@dg https://www.geeksforgeeks.org/what-is-the-difference-between-http_host-and-server_name-in-php/
SERVER_NAME should be obtained from server configuration (hardcoded)
HTTP_HOST is obtained from HTTP headers (which can anybody change)

@dg
Copy link
Member

dg commented Apr 8, 2020

The question should have been different. Why I'd like to see SERVER_NAME instead of spoofed HTTP_HOST in source line? HTTP_HOST better reflects what is in the address bar.

@dg dg closed this in 76650cf Apr 8, 2020
dg added a commit that referenced this pull request Apr 10, 2020
@dg
Logger & MailSender: replaced HTTP_HOST with SERVER_NAME [Closes #309]
674d4bf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v3.0

Development

Successfully merging this pull request may close these issues.

3 participants

@adaamz @dg @JanTvrdik