Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Absolute URL can be spoofed via Host header. #12

Open
Arinerron opened this issue May 5, 2017 · 1 comment
Open

[Security] Absolute URL can be spoofed via Host header. #12

Arinerron opened this issue May 5, 2017 · 1 comment
Assignees
@Arinerron
Labels
backend bug security
Milestone
Alpha

Comments

@Arinerron
Copy link
Member

teendevops-web/includes/functions.php

Line 35 in 2efe265

return ((!gone(HTTPS) ? 'https' : 'http') .'://' . (!gone(SITE) ? SITE : (!gone($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : (!gone($_SERVER['SERVER_NAME']) ?$_SERVER['SERVER_NAME'] : 'localhost'))) .(substr($request, 0, 1) !== '/' ? '/' : '') . $request);

@Arinerron Arinerron added this to the Alpha milestone May 5, 2017
@Arinerron Arinerron self-assigned this May 5, 2017
@crablab
Copy link

crablab commented May 10, 2017

That's just a really horrible way to do it anyway...
Try using Apache rewrites instead

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Arinerron Arinerron

Labels
backend bug security
Projects
None yet
Milestone
Alpha
Development

No branches or pull requests
2 participants
@Arinerron @crablab