1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-29 17:00:59 +01:00

Improve "Host" header check

Summary: See IRC. This check is somewhat misleading right now because it could arise from a mangled/broken Host header rather than a bad `phabricator.base-uri` configuration.

Test Plan: Faked this to trip, read all the text.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D11894
This commit is contained in:
epriestley 2015-02-26 14:37:48 -08:00
parent 59a35af395
commit a5426221b1

View file

@ -9,20 +9,53 @@ final class PhabricatorBaseURISetupCheck extends PhabricatorSetupCheck {
protected function executeChecks() {
$base_uri = PhabricatorEnv::getEnvConfig('phabricator.base-uri');
if (strpos(AphrontRequest::getHTTPHeader('Host'), '.') === false) {
$summary = pht(
'The domain does not contain a dot. This is necessary for some web '.
'browsers to be able to set cookies.');
$message = pht(
'The domain in the base URI must contain a dot ("."), e.g. '.
'"http://example.com", not just a bare name like "http://example/". '.
'Some web browsers will not set cookies on domains with no TLD.');
$host_header = AphrontRequest::getHTTPHeader('Host');
if (strpos($host_header, '.') === false) {
if (!strlen(trim($host_header))) {
$name = pht('No "Host" Header');
$summary = pht('No "Host" header present in request.');
$message = pht(
'This request did not include a "Host" header. This may mean that '.
'your webserver (like nginx or apache) is misconfigured so the '.
'"Host" header is not making it to Phabricator, or that you are '.
'making a raw request without a "Host" header using a tool or '.
'library.'.
"\n\n".
'If you are using a web browser, check your webserver '.
'configuration. If you are using a tool or library, check how the '.
'request is being constructed.'.
"\n\n".
'It is also possible (but very unlikely) that some other network '.
'device (like a load balancer) is stripping the header.'.
"\n\n".
'Requests must include a valid "Host" header.');
} else {
$name = pht('Bad "Host" Header');
$summary = pht('Request has bad "Host" header.');
$message = pht(
'This request included an invalid "Host" header, with value "%s". '.
'Host headers must contain a dot ("."), like "example.com". This '.
'is required for some browsers to be able to set cookies.'.
"\n\n".
'This may mean the base URI is configured incorrectly. You must '.
'serve Phabricator from a base URI with a dot (like '.
'"https://phabricator.mycompany.com"), not a bare domain '.
'(like "https://phabricator/"). If you are trying to use a bare '.
'domain, change your configuration to use a full domain with a dot '.
'in it instead.'.
"\n\n".
'This might also mean that your webserver (or some other network '.
'device, like a load balancer) is mangling the "Host" header, or '.
'you are using a tool or library to issue a request manually and '.
'setting the wrong "Host" header.'.
"\n\n".
'Requests must include a valid "Host" header.',
$host_header);
}
$this
->newIssue('config.phabricator.domain')
->setShortName(pht('Dotless Domain'))
->setName(pht('No Dot Character in Domain'))
->newIssue('request.host')
->setName($name)
->setSummary($summary)
->setMessage($message)
->setIsFatal(true);