mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-29 17:00:59 +01:00
Improve "Host" header check
Summary: See IRC. This check is somewhat misleading right now because it could arise from a mangled/broken Host header rather than a bad `phabricator.base-uri` configuration. Test Plan: Faked this to trip, read all the text. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D11894
This commit is contained in:
parent
59a35af395
commit
a5426221b1
1 changed files with 45 additions and 12 deletions
|
@ -9,20 +9,53 @@ final class PhabricatorBaseURISetupCheck extends PhabricatorSetupCheck {
|
|||
protected function executeChecks() {
|
||||
$base_uri = PhabricatorEnv::getEnvConfig('phabricator.base-uri');
|
||||
|
||||
if (strpos(AphrontRequest::getHTTPHeader('Host'), '.') === false) {
|
||||
$summary = pht(
|
||||
'The domain does not contain a dot. This is necessary for some web '.
|
||||
'browsers to be able to set cookies.');
|
||||
|
||||
$message = pht(
|
||||
'The domain in the base URI must contain a dot ("."), e.g. '.
|
||||
'"http://example.com", not just a bare name like "http://example/". '.
|
||||
'Some web browsers will not set cookies on domains with no TLD.');
|
||||
$host_header = AphrontRequest::getHTTPHeader('Host');
|
||||
if (strpos($host_header, '.') === false) {
|
||||
if (!strlen(trim($host_header))) {
|
||||
$name = pht('No "Host" Header');
|
||||
$summary = pht('No "Host" header present in request.');
|
||||
$message = pht(
|
||||
'This request did not include a "Host" header. This may mean that '.
|
||||
'your webserver (like nginx or apache) is misconfigured so the '.
|
||||
'"Host" header is not making it to Phabricator, or that you are '.
|
||||
'making a raw request without a "Host" header using a tool or '.
|
||||
'library.'.
|
||||
"\n\n".
|
||||
'If you are using a web browser, check your webserver '.
|
||||
'configuration. If you are using a tool or library, check how the '.
|
||||
'request is being constructed.'.
|
||||
"\n\n".
|
||||
'It is also possible (but very unlikely) that some other network '.
|
||||
'device (like a load balancer) is stripping the header.'.
|
||||
"\n\n".
|
||||
'Requests must include a valid "Host" header.');
|
||||
} else {
|
||||
$name = pht('Bad "Host" Header');
|
||||
$summary = pht('Request has bad "Host" header.');
|
||||
$message = pht(
|
||||
'This request included an invalid "Host" header, with value "%s". '.
|
||||
'Host headers must contain a dot ("."), like "example.com". This '.
|
||||
'is required for some browsers to be able to set cookies.'.
|
||||
"\n\n".
|
||||
'This may mean the base URI is configured incorrectly. You must '.
|
||||
'serve Phabricator from a base URI with a dot (like '.
|
||||
'"https://phabricator.mycompany.com"), not a bare domain '.
|
||||
'(like "https://phabricator/"). If you are trying to use a bare '.
|
||||
'domain, change your configuration to use a full domain with a dot '.
|
||||
'in it instead.'.
|
||||
"\n\n".
|
||||
'This might also mean that your webserver (or some other network '.
|
||||
'device, like a load balancer) is mangling the "Host" header, or '.
|
||||
'you are using a tool or library to issue a request manually and '.
|
||||
'setting the wrong "Host" header.'.
|
||||
"\n\n".
|
||||
'Requests must include a valid "Host" header.',
|
||||
$host_header);
|
||||
}
|
||||
|
||||
$this
|
||||
->newIssue('config.phabricator.domain')
|
||||
->setShortName(pht('Dotless Domain'))
|
||||
->setName(pht('No Dot Character in Domain'))
|
||||
->newIssue('request.host')
|
||||
->setName($name)
|
||||
->setSummary($summary)
|
||||
->setMessage($message)
|
||||
->setIsFatal(true);
|
||||
|
|
Loading…
Reference in a new issue