From 0303e91ae562e90c26c721d9454b651673f19746 Mon Sep 17 00:00:00 2001
From: Javier Eguiluz <javier.eguiluz@gmail.com>
Date: Mon, 26 May 2014 15:30:46 +0200
Subject: [PATCH 1/3] Added the documentation for the trusted_hosts option

---
 reference/configuration/framework.rst | 64 +++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst
index 7008ecc8c0d..2f6af3850fc 100644
--- a/reference/configuration/framework.rst
+++ b/reference/configuration/framework.rst
@@ -19,6 +19,7 @@ Configuration
 * `http_method_override`_
 * `ide`_
 * `test`_
+* `trusted_hosts`_
 * `trusted_proxies`_
 * `form`_
     * enabled
@@ -114,6 +115,69 @@ services related to testing your application (e.g. ``test.client``) are loaded.
 This setting should be present in your ``test`` environment (usually via
 ``app/config/config_test.yml``). For more information, see :doc:`/book/testing`.
 
+.. _reference-framework-trusted-hosts:
+
+trusted_hosts
+~~~~~~~~~~~~~
+
+**type**: ``array``
+
+The value of the ``$_SERVER['HOST']`` parameter cannot be safely trusted because
+users can manipulate it. This option whitelists the hosts that your Symfony
+application can respond to.
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        framework:
+            trusted_hosts:  ['acme.com', 'acme.org']
+
+    .. code-block:: xml
+
+        <framework:config trusted-hosts="acme.com, acme.org">
+            <!-- ... -->
+        </framework>
+
+    .. code-block:: php
+
+        $container->loadFromExtension('framework', array(
+            'trusted_hosts' => array('acme.com', 'acme.org'),
+        ));
+
+Hosts can also be configured using regular expressions, which make it easier to
+respond to any subdomain:
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        framework:
+            trusted_hosts:  ['.*\.?acme.com$', '.*\.?acme.org$']
+
+    .. code-block:: xml
+
+        <framework:config trusted-hosts=".*\.?acme.com$, .*\.?acme.org$">
+            <!-- ... -->
+        </framework>
+
+    .. code-block:: php
+
+        $container->loadFromExtension('framework', array(
+            'trusted_hosts' => array('.*\.?acme.com$', '.*\.?acme.org$'),
+        ));
+
+In addition, you can also set the trusted hosts in the front controller using
+the ``Request::setTrustedHosts()`` method:
+
+.. code-block:: php
+
+    // web/app.php
+    Request::setTrustedHosts(array('.*\.?acme.com$', '.*\.?acme.org$'));
+
+The default value for this option is an empty array, meaning that the application
+can respond to any given host.
+
 .. _reference-framework-trusted-proxies:
 
 trusted_proxies

From 361574a811985ef30d0ed3bfc893e3f4463ef768 Mon Sep 17 00:00:00 2001
From: Javier Eguiluz <javier.eguiluz@gmail.com>
Date: Mon, 26 May 2014 16:22:52 +0200
Subject: [PATCH 2/3] Fixed minor formatting issues

---
 reference/configuration/framework.rst | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst
index 2f6af3850fc..a5479d68009 100644
--- a/reference/configuration/framework.rst
+++ b/reference/configuration/framework.rst
@@ -115,8 +115,6 @@ services related to testing your application (e.g. ``test.client``) are loaded.
 This setting should be present in your ``test`` environment (usually via
 ``app/config/config_test.yml``). For more information, see :doc:`/book/testing`.
 
-.. _reference-framework-trusted-hosts:
-
 trusted_hosts
 ~~~~~~~~~~~~~
 
@@ -168,9 +166,7 @@ respond to any subdomain:
         ));
 
 In addition, you can also set the trusted hosts in the front controller using
-the ``Request::setTrustedHosts()`` method:
-
-.. code-block:: php
+the ``Request::setTrustedHosts()`` method::
 
     // web/app.php
     Request::setTrustedHosts(array('.*\.?acme.com$', '.*\.?acme.org$'));

From 9fb67665710793a6674445212c34b17e453504a3 Mon Sep 17 00:00:00 2001
From: Javier Eguiluz <javier.eguiluz@gmail.com>
Date: Sat, 5 Jul 2014 16:12:57 +0200
Subject: [PATCH 3/3] Added more information about the risks involved and why
 this configuration option is useful.

The source of this information is the content of this security advisory:
http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released#cve-2013-4752-request-gethost-poisoning
---
 reference/configuration/framework.rst | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst
index a5479d68009..0e02b3c0b90 100644
--- a/reference/configuration/framework.rst
+++ b/reference/configuration/framework.rst
@@ -120,9 +120,16 @@ trusted_hosts
 
 **type**: ``array``
 
-The value of the ``$_SERVER['HOST']`` parameter cannot be safely trusted because
-users can manipulate it. This option whitelists the hosts that your Symfony
-application can respond to.
+A lot of different attacks have been discovered relying on inconsistencies
+between the handling of the ``Host`` header by various software (web servers,
+reverse proxies, web frameworks, etc.). Basically, everytime the framework is
+generating an absolute URL (when sending an email to reset a password for
+instance), the host might have been manipulated by an attacker.
+
+The Symfony Request::getHost() method might be vulnerable to some of these attacks
+because it depends on the configuration of your web server. One simple solution
+to avoid these attacks is to whitelist the hosts that your Symfony application
+can respond to. That's the purpose of this ``trusted_hosts`` option:
 
 .. configuration-block::