Add app.trustedHosts config and force host checks on password reset (#5423)

Ben Thomson · Luke Towers · commit f638d3f78cfe · 2021-01-04T13:07:00.000-06:00
Add app.trustedHosts config and force host checks on backend password reset. Related: octobercms/library@f29865a (cherry picked from commit f555ab6)
diff --git a/config/app.php b/config/app.php
@@ -43,6 +43,36 @@
 
     'url' => 'http://localhost',
 
+    /*
+    |--------------------------------------------------------------------------
+    | Trusted hosts
+    |--------------------------------------------------------------------------
+    |
+    | You may specify valid hosts for your application as an array or boolean
+    | below. This helps prevent host header poisoning attacks.
+    |
+    | Possible values:
+    |  - `true`: Trust the host specified in app.url, as well as the "www"
+    |            subdomain, if applicable.
+    |  - `false`: Disable the trusted hosts feature.
+    |  - array: Defines the domains to be trusted hosts. Each item should be
+    |           a string defining a domain, IP address, or a regex pattern.
+    |
+    | Example of array values:
+    |
+    |    'trustedHosts' => [
+    |       'example.com',           // Matches just example.com
+    |       'www.example.com',       // Matches just www.example.com
+    |       '^(.+\.)?example\.com$', // Matches example.com and all subdomains
+    |       'https://example.com',   // Matches just example.com
+    |    ],
+    |
+    | NOTE: Even when set to `false`, this functionality is explicitly enabled
+    | on the Backend password reset flow for security reasons.
+    */
+
+    'trustedHosts' => true,
+
     /*
     |--------------------------------------------------------------------------
     | Application Timezone
diff --git a/modules/backend/controllers/Auth.php b/modules/backend/controllers/Auth.php
@@ -13,6 +13,7 @@
 use ValidationException;
 use Exception;
 use Config;
+use October\Rain\Foundation\Http\Middleware\CheckForTrustedHost;
 
 /**
  * Authentication controller
@@ -147,6 +148,20 @@ public function restore()
      */
     public function restore_onSubmit()
     {
+        // Force Trusted Host verification on password reset link generation
+        // regardless of config to protect against host header poisoning
+        $trustedHosts = Config::get('app.trustedHosts', false);
+        if ($trustedHosts === false) {
+            $hosts = CheckForTrustedHost::processTrustedHosts(true);
+
+            if (count($hosts)) {
+                Request::setTrustedHosts($hosts);
+
+                // Trigger the host validation logic
+                Request::getHost();
+            }
+        }
+
         $rules = [
             'login' => 'required|between:2,255'
         ];
