IntenseFinance/firefly-iii
3
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2024-11-21 16:38:36 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add host header validation

Browse Source
This commit is contained in:
James Cole 2024-02-17 08:18:49 +01:00
parent b37b5b86d4
commit 997dc3814b
No known key found for this signature in database
GPG Key ID: B49A324B7EAD6D80
3 changed files with 23 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
.env.example
View File

@ -332,15 +332,7 @@ DEMO_PASSWORD=
FIREFLY_III_LAYOUT=v1
#
# If you have trouble configuring your Firefly III installation, DON'T BOTHER setting this variable.
# It won't work. It doesn't do ANYTHING. Don't believe the lies you read online. I'm not joking.
# This configuration value WILL NOT HELP.
#
# Notable exception to this rule is Synology, which, according to some users, will use APP_URL to rewrite stuff.
#
# This variable is ONLY used in some of the emails Firefly III sends around. Nowhere else.
# So when configuring anything WEB related this variable doesn't do anything. Nothing
#
# If you're stuck I understand you get desperate but look SOMEWHERE ELSE.
# Please make sure this URL matches the external URL of your Firefly III installation.
# It is used to validate specific requests and to generate URLs in emails.
#
APP_URL=http://localhost

18
app/Http/Controllers/Auth/ForgotPasswordController.php
View File

@ -68,6 +68,9 @@ class ForgotPasswordController extends Controller
return view('error', compact('message'));
}
// validate host header.
$this->validateHost();
$this->validateEmail($request);
// verify if the user is not a demo user. If so, we give him back an error.
@ -118,4 +121,19 @@ class ForgotPasswordController extends Controller
return view('auth.passwords.email')->with(compact('allowRegistration', 'pageTitle'));
}
/**
* @return void
* @throws FireflyException
*/
private function validateHost(): void {
$configuredHost = parse_url((string)config('app.url'), PHP_URL_HOST);
if(false === $configuredHost || null === $configuredHost) {
throw new FireflyException('Please set a valid and correct Firefly III URL in the APP_URL environment variable.');
}
$host = request()->host();
if($configuredHost !== $host) {
throw new FireflyException('The Host-header does not match the host in the APP_URL environment variable. Please make sure these match. See also: https://bit.ly/FF3-host-header');
}
}
}

4
app/Http/Controllers/Auth/ResetPasswordController.php
View File

@ -80,6 +80,8 @@ class ResetPasswordController extends Controller
return view('error', compact('message'));
}
$rules = [
'token' => 'required',
'email' => 'required|email',
@ -90,7 +92,7 @@ class ResetPasswordController extends Controller
// Here we will attempt to reset the user's password. If it is successful we
// will update the password on an actual user model and persist it to the
// database. Otherwise we will parse the error and return the response.
// database. Otherwise, we will parse the error and return the response.
$response = $this->broker()->reset(
$this->credentials($request),
function ($user, $password): void {