You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/07/11 08:00:23 UTC

[ofbiz-framework] 02/04: Improved: better message for host-headers-allowed

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 3c9fe5f91684de54570e6ec61575c11368a2ffd6
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sat Jul 11 09:30:59 2020 +0200

    Improved: better message for host-headers-allowed
    
    Adds an explanation about what to do when using own domain.
    
    Some users don't look into the log so it's better to set also the exception
    message in order for them to have it right at 1st glance.
---
 framework/security/config/security.properties                       | 2 +-
 .../main/java/org/apache/ofbiz/webapp/control/RequestHandler.java   | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index bf1d075..8a1d353 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -154,7 +154,7 @@ security.token.key=security.token.key
 
 # -- List of domains or IP addresses to be checked to prevent Host Header Injection,
 # -- no spaces after commas,no wildcard, can be extended of course...
-host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
+host-headers-allowed=127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
 
 # -- By default the SameSite value in SameSiteFilter is 'strict'.
 # -- This property allows to change to 'lax' if needed.
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index 895265b..629b96e 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -214,8 +214,10 @@ public class RequestHandler {
             GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {
 
         if (!hostHeadersAllowed.contains(request.getServerName())) {
-            Debug.logError("Domain " + request.getServerName() + " not accepted to prevent host header injection ", MODULE);
-            throw new RequestHandlerException("Domain " + request.getServerName() + " not accepted to prevent host header injection ");
+            Debug.logError("Domain " + request.getServerName() + " not accepted to prevent host header injection."
+                    + " You need to set host-headers-allowed property in security.properties file.", MODULE);
+            throw new RequestHandlerException("Domain " + request.getServerName() + " not accepted to prevent host header injection."
+                    + " You need to set host-headers-allowed property in security.properties file.");
         }
                 
         final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(