From a498dedb5c1a0d44fd00b7d0a8e581734bc1377b Mon Sep 17 00:00:00 2001 From: Carsten Brandt Date: Sat, 26 Nov 2016 21:57:52 +0100 Subject: [PATCH] Added documentation about Host header attack (#13073) * Added documentation about Host header attack Added info about Host header attack (#13050) to the guide and the Request class. When we introduce a filter or property to protect against this, these sections should be updated to link to that option. --- docs/guide/security-best-practices.md | 22 ++++++++++++++++++++++ framework/web/Request.php | 19 ++++++++++++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/docs/guide/security-best-practices.md b/docs/guide/security-best-practices.md index 6c04c930e56..4b7d6c97899 100644 --- a/docs/guide/security-best-practices.md +++ b/docs/guide/security-best-practices.md @@ -221,3 +221,25 @@ provided by H5BP project: - [Apache](https://github.com/h5bp/server-configs-apache). - [IIS](https://github.com/h5bp/server-configs-iis). - [Lighttpd](https://github.com/h5bp/server-configs-lighttpd). + +Secure Server configuration +--------------------------- + +The purpose of this section is to highlight risks that need to be considered when creating a +server configuration for serving a Yii based website. Besides the points covered here there may +be other security related configuration options to be considered, so do not consider this section to +be complete. + +### Avoiding `Host`-header attacks + +Classes like [[yii\web\UrlManager]] and [[yii\helpers\Url]] may use the [[yii\web\Request::getHostInfo()|currently requested host name]] +for generating links. +If the webserver is configured to serve the same site independent of the value of the `Host` header, this information may not be reliable +and [may be faked by the user sending the HTTP request](https://www.acunetix.com/vulnerabilities/web/host-header-attack). +In such situations you should either fix your webserver configuration to serve the site only for specified host names +or explicitly set or filter the value by setting the [[yii\web\Request::setHostInfo()|hostInfo]] property of the `request` application component. + +For more information about the server configuration, please refer to the documentation of your webserver: + +- Apache 2: +- Nginx: diff --git a/framework/web/Request.php b/framework/web/Request.php index 7bd5abd4640..94a73d40c05 100644 --- a/framework/web/Request.php +++ b/framework/web/Request.php @@ -529,9 +529,25 @@ public function getQueryParam($name, $defaultValue = null) /** * Returns the schema and host part of the current request URL. + * * The returned URL does not have an ending slash. - * By default this is determined based on the user request information. + * + * By default this value is based on the user request information. This method will + * return the value of `$_SERVER['HTTP_HOST']` if it is available or `$_SERVER['SERVER_NAME']` if not. + * You may want to check out the [PHP documentation](http://php.net/manual/en/reserved.variables.server.php) + * for more information on these variables. + * * You may explicitly specify it by setting the [[setHostInfo()|hostInfo]] property. + * + * > Warning: Dependent on the server configuration this information may not be + * > reliable and [may be faked by the user sending the HTTP request](https://www.acunetix.com/vulnerabilities/web/host-header-attack). + * > If the webserver is configured to serve the same site independent of the value of + * > the `Host` header, this value is not reliable. In such situations you should either + * > fix your webserver configuration or explicitly set the value by setting the [[setHostInfo()|hostInfo]] property. + * + * @property string|null schema and hostname part (with port number if needed) of the request URL + * (e.g. `http://www.yiiframework.com`), null if can't be obtained from `$_SERVER` and wasn't set. + * See [[getHostInfo()]] for security related notes on this property. * @return string|null schema and hostname part (with port number if needed) of the request URL * (e.g. `http://www.yiiframework.com`), null if can't be obtained from `$_SERVER` and wasn't set. * @see setHostInfo() @@ -560,6 +576,7 @@ public function getHostInfo() * This setter is provided in case the schema and hostname cannot be determined * on certain Web servers. * @param string|null $value the schema and host part of the application URL. The trailing slashes will be removed. + * @see getHostInfo() for security related notes on this property. */ public function setHostInfo($value) {