pkp/pkp-lib#7649 Add support for allowed_hosts limits to avoid HOST h…

…eader injection
nibou230 · Feb 4, 2022 · 6d312b1 · 6d312b1
1 parent b119934
commit 6d312b1
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 0 deletions.
diff --git a/config.TEMPLATE.inc.php b/config.TEMPLATE.inc.php
@@ -93,6 +93,13 @@
 ; See FAQ for more details.
 restful_urls = Off
 
+; Restrict the list of allowed hosts to prevent HOST header injection.
+; See docs/README.md for more details. The list should be JSON-formatted.
+; An empty string indicates that all hosts should be trusted (not recommended!)
+; Example:
+; allowed_hosts = '["myjournal.tld", "anotherjournal.tld", "mylibrary.tld"]'
+allowed_hosts = ''
+
 ; Allow the X_FORWARDED_FOR header to override the REMOTE_ADDR as the source IP
 ; Set this to "On" if you are behind a reverse proxy and you control the X_FORWARDED_FOR
 ; Warning: This defaults to "On" if unset for backwards compatibility.

diff --git a/docs/README.md b/docs/README.md
@@ -60,6 +60,11 @@ A secure deployment can be best achieved by using the following policies:
 	backups of this directory should be roughly synchronized with
 	database backups.
 
+* Configure an "allowed_hosts" setting in config.inc.php in order to prevent
+	HOST header injection attacks. This setting should contain a JSON-
+	formatted list of all hostnames that the server should consider valid.
+	It is not necessary to list these when using the base_url[xyz]
+	settings; those are trusted implicitly.
 
 ## Installation
 

diff --git a/docs/RELEASE b/docs/RELEASE
@@ -10,6 +10,9 @@ Configuration Changes
 See config.TEMPLATE.inc.php for a description and examples of all supported
 configuration parameters.
 
+- An allowed_hosts option was added to protect against HOST injection attacks.
+  We recommend configuring this setting! See "Recommended Configuration" in
+  docs/README.md for details. (https://github.com/pkp/pkp-lib/issues/7649)
 - The captcha.captcha_on_login option for displaying a captcha challenge in
   the login interface has been added (default: on)
 

diff --git a/docs/release-notes/README-3.4.0 b/docs/release-notes/README-3.4.0
@@ -10,6 +10,9 @@ Configuration Changes
 See config.TEMPLATE.inc.php for a description and examples of all supported
 configuration parameters.
 
+- An allowed_hosts option was added to protect against HOST injection attacks.
+  We recommend configuring this setting! See "Recommended Configuration" in
+  docs/README.md for details. (https://github.com/pkp/pkp-lib/issues/7649)
 - The captcha.captcha_on_login option for displaying a captcha challenge in
   the login interface has been added (default: on)