revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-20 20:40:56 +01:00
Code Issues Releases Wiki Activity

Improve "Host" header check

Browse source 
Summary: See IRC. This check is somewhat misleading right now because it could arise from a mangled/broken Host header rather than a bad `phabricator.base-uri` configuration.

Test Plan: Faked this to trip, read all the text.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D11894
This commit is contained in:
epriestley 2015-02-26 14:37:48 -08:00
parent 59a35af395
commit a5426221b1
1 changed files with 45 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
src/applications/config/check/PhabricatorBaseURISetupCheck.php
View file

@ -9,20 +9,53 @@ final class PhabricatorBaseURISetupCheck extends PhabricatorSetupCheck {
protected function executeChecks() { protected function executeChecks() {
$base_uri = PhabricatorEnv::getEnvConfig('phabricator.base-uri'); $base_uri = PhabricatorEnv::getEnvConfig('phabricator.base-uri');
if (strpos(AphrontRequest::getHTTPHeader('Host'), '.') === false) { $host_header = AphrontRequest::getHTTPHeader('Host');
$summary = pht( if (strpos($host_header, '.') === false) {
'The domain does not contain a dot. This is necessary for some web '. if (!strlen(trim($host_header))) {
'browsers to be able to set cookies.'); $name = pht('No "Host" Header');
$summary = pht('No "Host" header present in request.');
$message = pht( $message = pht(
'The domain in the base URI must contain a dot ("."), e.g. '. 'This request did not include a "Host" header. This may mean that '.
'"http://example.com", not just a bare name like "http://example/". '. 'your webserver (like nginx or apache) is misconfigured so the '.
'Some web browsers will not set cookies on domains with no TLD.'); '"Host" header is not making it to Phabricator, or that you are '.
'making a raw request without a "Host" header using a tool or '.
'library.'.
"\n\n".
'If you are using a web browser, check your webserver '.
'configuration. If you are using a tool or library, check how the '.
'request is being constructed.'.
"\n\n".
'It is also possible (but very unlikely) that some other network '.
'device (like a load balancer) is stripping the header.'.
"\n\n".
'Requests must include a valid "Host" header.');
} else {
$name = pht('Bad "Host" Header');
$summary = pht('Request has bad "Host" header.');
$message = pht(
'This request included an invalid "Host" header, with value "%s". '.
'Host headers must contain a dot ("."), like "example.com". This '.
'is required for some browsers to be able to set cookies.'.
"\n\n".
'This may mean the base URI is configured incorrectly. You must '.
'serve Phabricator from a base URI with a dot (like '.
'"https://phabricator.mycompany.com"), not a bare domain '.
'(like "https://phabricator/"). If you are trying to use a bare '.
'domain, change your configuration to use a full domain with a dot '.
'in it instead.'.
"\n\n".
'This might also mean that your webserver (or some other network '.
'device, like a load balancer) is mangling the "Host" header, or '.
'you are using a tool or library to issue a request manually and '.
'setting the wrong "Host" header.'.
"\n\n".
'Requests must include a valid "Host" header.',
$host_header);
}
$this $this
->newIssue('config.phabricator.domain') ->newIssue('request.host')
->setShortName(pht('Dotless Domain')) ->setName($name)
->setName(pht('No Dot Character in Domain'))
->setSummary($summary) ->setSummary($summary)
->setMessage($message) ->setMessage($message)
->setIsFatal(true); ->setIsFatal(true);