8000 Helpers: take host name from SERVER_NAME instead of HTTP_HOST by adaamz · Pull Request #309 · nette/tracy · GitHub
[go: up one dir, main page]
Skip to content

Helpers: take host name from SERVER_NAME instead of HTTP_HOST#309

Closed
adaamz wants to merge 10 commits intonette:masterfrom
adaamz:patch-1
Closed

Helpers: take host name from SERVER_NAME instead of HTTP_HOST#309
adaamz wants to merge 10 commits intonette:masterfrom
adaamz:patch-1

Conversation

@adaamz
Copy link
@adaamz adaamz commented Jul 9, 2018

bug fix
BC break? yes

Hi,
it is better to identify server host name by secure directive SERVER_NAME, because HTTP_HOST is not secure and can be changed by user.
https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html

@dg dg force-pushed the master branch 3 times, most recently from c5c5bab to 0d0dbd8 Compare August 13, 2018 17:05
@dg dg force-pushed the master branch 3 times, most recently from 17ddd81 to 9cb1b0f Compare September 30, 2018 18:46
@dg dg force-pushed the master branch 2 times, most recently from 6fd4a05 to 3f0d0cb Compare October 29, 2018 16:33
@dg dg force-pushed the master branch 4 times, most recently from 746b339 to a2663ed Compare November 5, 2018 15:12
@dg dg force-pushed the master branch 5 times, most recently from bb44626 to 526708d Compare February 10, 2019 23:05
@dg dg force-pushed the master branch 4 times, most recently from 90fac79 to 7189fbf Compare February 17, 2019 18:09
@dg dg added this to the v3.0 milestone Feb 17, 2019
@dg dg force-pushed the master branch 17 times, most recently from ef4eb5f to 466250c Compare February 21, 2019 03:05
@dg dg force-pushed the master branch 5 times, most recently from 39296b0 to cbf05bb Compare February 26, 2019 02:02
@dg
Copy link
Member
dg commented Apr 8, 2020

Why do you think SERVER_NAME can't be spoofed in the same way?

@adaamz
Copy link
Author
adaamz commented Apr 8, 2020

@dg https://www.geeksforgeeks.org/what-is-the-difference-between-http_host-and-server_name-in-php/
SERVER_NAME should be obtained from server configuration (hardcoded)
HTTP_HOST is obtained from HTTP headers (which can anybody change)

@dg
Copy link
Member
dg commented Apr 8, 2020

The question should have been different. Why I'd like to see SERVER_NAME instead of spoofed HTTP_HOST in source line? HTTP_HOST better reflects what is in the address bar.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v3.0

Development

Successfully merging this pull request may close these issues.

3 participants

@adaamz @dg @JanTvrdik
0