From 9f553707baae05e581789b11ab017a0b5028cc60 Mon Sep 17 00:00:00 2001 From: Diogo Peralta Cordeiro Date: Mon, 19 Jul 2021 13:50:40 +0100 Subject: [PATCH] [CORE] Proxies: constant HEADER_X_FORWARDED_ALL is deprecated Give ENV preference over SERVER --- public/index.php | 19 ++++++++++++++----- src/Kernel.php | 4 ++-- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/public/index.php b/public/index.php index 02b1587136..88566b5e9e 100755 --- a/public/index.php +++ b/public/index.php @@ -24,9 +24,11 @@ * @category Framework * * @author Hugo Sales - * @copyright 2020 Free Software Foundation, Inc http://www.fsf.org + * @author Diogo Peralta Cordeiro + * @copyright 2020-2021 Free Software Foundation, Inc http://www.fsf.org * @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later */ + use App\CacheKernel; use App\Kernel; use Symfony\Component\ErrorHandler\Debug; @@ -40,12 +42,19 @@ if ($_SERVER['APP_DEBUG']) { Debug::enable(); } -if ($trustedProxies = $_SERVER['TRUSTED_PROXIES'] ?? $_ENV['TRUSTED_PROXIES'] ?? false) { - Request::setTrustedProxies(\explode(',', $trustedProxies), - Request::HEADER_X_FORWARDED_ALL ^ Request::HEADER_X_FORWARDED_HOST); +// When a request passes through a proxy, certain request information is sent using either +// the standard Forwarded header or X-Forwarded-* headers. +// Therefore, if the user configures trusted proxy IPs, we trust these headers. +if ($trustedProxies = $_ENV['TRUSTED_PROXIES'] ?? $_SERVER['TRUSTED_PROXIES'] ?? false) { + Request::setTrustedProxies(explode(',', $trustedProxies), + Request::HEADER_FORWARDED | Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO + ); } -if ($trustedHosts = $_SERVER['TRUSTED_HOSTS'] ?? $_ENV['TRUSTED_HOSTS'] ?? false) { +// For enhanced security while using Request, here we define the trusted hosts. +// If the incoming request’s hostname doesn't match one of the regular expressions in +// this list, the application won’t respond and the user will receive a 400 response. +if ($trustedHosts = $_ENV['TRUSTED_HOSTS'] ?? $_SERVER['TRUSTED_HOSTS'] ?? false) { Request::setTrustedHosts([$trustedHosts]); } diff --git a/src/Kernel.php b/src/Kernel.php index 5341933eac..ee6a52662b 100644 --- a/src/Kernel.php +++ b/src/Kernel.php @@ -56,9 +56,9 @@ class Kernel extends BaseKernel define('PUBLICDIR', INSTALLDIR . '/public'); define('GNUSOCIAL_ENGINE_NAME', 'GNU social'); // MERGE Change to https://gnu.io/social/ - define('GNUSOCIAL_PROJECT_URL', 'https://gnusocial.network/'); + define('GNUSOCIAL_PROJECT_URL', 'https://gnusocial.rocks/'); // MERGE Change to https://git.gnu.io/gnu/gnu-social - define('GNUSOCIAL_REPOSITORY_URL', 'https://notabug.org/diogo/gnu-social/'); + define('GNUSOCIAL_REPOSITORY_URL', 'https://code.undefinedhackers.net/GNUsocial/gnu-social'); // Current base version, major.minor.patch define('GNUSOCIAL_BASE_VERSION', '3.0.0'); // 'dev', 'alpha[0-9]+', 'beta[0-9]+', 'rc[0-9]+', 'release'