mirror of
https://github.com/firefly-iii/firefly-iii.git
synced 2024-11-25 10:20:29 -06:00
Add host header validation
This commit is contained in:
parent
b37b5b86d4
commit
997dc3814b
12
.env.example
12
.env.example
@ -332,15 +332,7 @@ DEMO_PASSWORD=
|
|||||||
FIREFLY_III_LAYOUT=v1
|
FIREFLY_III_LAYOUT=v1
|
||||||
|
|
||||||
#
|
#
|
||||||
# If you have trouble configuring your Firefly III installation, DON'T BOTHER setting this variable.
|
# Please make sure this URL matches the external URL of your Firefly III installation.
|
||||||
# It won't work. It doesn't do ANYTHING. Don't believe the lies you read online. I'm not joking.
|
# It is used to validate specific requests and to generate URLs in emails.
|
||||||
# This configuration value WILL NOT HELP.
|
|
||||||
#
|
|
||||||
# Notable exception to this rule is Synology, which, according to some users, will use APP_URL to rewrite stuff.
|
|
||||||
#
|
|
||||||
# This variable is ONLY used in some of the emails Firefly III sends around. Nowhere else.
|
|
||||||
# So when configuring anything WEB related this variable doesn't do anything. Nothing
|
|
||||||
#
|
|
||||||
# If you're stuck I understand you get desperate but look SOMEWHERE ELSE.
|
|
||||||
#
|
#
|
||||||
APP_URL=http://localhost
|
APP_URL=http://localhost
|
||||||
|
@ -68,6 +68,9 @@ class ForgotPasswordController extends Controller
|
|||||||
return view('error', compact('message'));
|
return view('error', compact('message'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// validate host header.
|
||||||
|
$this->validateHost();
|
||||||
|
|
||||||
$this->validateEmail($request);
|
$this->validateEmail($request);
|
||||||
|
|
||||||
// verify if the user is not a demo user. If so, we give him back an error.
|
// verify if the user is not a demo user. If so, we give him back an error.
|
||||||
@ -118,4 +121,19 @@ class ForgotPasswordController extends Controller
|
|||||||
|
|
||||||
return view('auth.passwords.email')->with(compact('allowRegistration', 'pageTitle'));
|
return view('auth.passwords.email')->with(compact('allowRegistration', 'pageTitle'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return void
|
||||||
|
* @throws FireflyException
|
||||||
|
*/
|
||||||
|
private function validateHost(): void {
|
||||||
|
$configuredHost = parse_url((string)config('app.url'), PHP_URL_HOST);
|
||||||
|
if(false === $configuredHost || null === $configuredHost) {
|
||||||
|
throw new FireflyException('Please set a valid and correct Firefly III URL in the APP_URL environment variable.');
|
||||||
|
}
|
||||||
|
$host = request()->host();
|
||||||
|
if($configuredHost !== $host) {
|
||||||
|
throw new FireflyException('The Host-header does not match the host in the APP_URL environment variable. Please make sure these match. See also: https://bit.ly/FF3-host-header');
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -80,6 +80,8 @@ class ResetPasswordController extends Controller
|
|||||||
|
|
||||||
return view('error', compact('message'));
|
return view('error', compact('message'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
$rules = [
|
$rules = [
|
||||||
'token' => 'required',
|
'token' => 'required',
|
||||||
'email' => 'required|email',
|
'email' => 'required|email',
|
||||||
@ -90,7 +92,7 @@ class ResetPasswordController extends Controller
|
|||||||
|
|
||||||
// Here we will attempt to reset the user's password. If it is successful we
|
// Here we will attempt to reset the user's password. If it is successful we
|
||||||
// will update the password on an actual user model and persist it to the
|
// will update the password on an actual user model and persist it to the
|
||||||
// database. Otherwise we will parse the error and return the response.
|
// database. Otherwise, we will parse the error and return the response.
|
||||||
$response = $this->broker()->reset(
|
$response = $this->broker()->reset(
|
||||||
$this->credentials($request),
|
$this->credentials($request),
|
||||||
function ($user, $password): void {
|
function ($user, $password): void {
|
||||||
|
Loading…
Reference in New Issue
Block a user