[TASK] Add HTTP host header injection check to reports module
In case the web server scenario is not properly configured to deny HTTP host header injection, and the trustedHostsPattern is not explicit enough, a corresponding check in the reports module will issue an error message like * HTTP_HOST contained unexpected "a0a3aa2f59.random.example.org" * SERVER_NAME contained unexpected "a0a3aa2f59.random.example.org" Using the configuration directive `UseCanonicalName On` for Apache web server environments mitigates the risk. Resolves: #99347 Releases: main, 11.5, 10.4 Change-Id: Iaafd136fd817a0722f482d1d0e6b198382e40e3d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77038 Reviewed-by:Benjamin Franzke <bfr@qbus.de> Tested-by:
Benni Mack <benni@typo3.org> Tested-by:
core-ci <typo3@b13.com> Reviewed-by:
Showing
- typo3/sysext/backend/Classes/Middleware/BackendUserAuthenticator.php 1 addition, 0 deletions...t/backend/Classes/Middleware/BackendUserAuthenticator.php
- typo3/sysext/core/Documentation/Changelog/9.5.x/Feature-91354-IntegrateServerResponseSecurityChecks.rst 5 additions, 0 deletions...x/Feature-91354-IntegrateServerResponseSecurityChecks.rst
- typo3/sysext/install/Classes/Controller/ServerResponseCheckController.php 57 additions, 0 deletions...tall/Classes/Controller/ServerResponseCheckController.php
- typo3/sysext/install/Classes/SystemEnvironment/ServerResponse/ServerResponseCheck.php 44 additions, 1 deletion.../SystemEnvironment/ServerResponse/ServerResponseCheck.php
- typo3/sysext/install/Configuration/Backend/Routes.php 6 additions, 0 deletionstypo3/sysext/install/Configuration/Backend/Routes.php
Please register or sign in to comment