You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/07/11 07:58:43 UTC

[ofbiz-framework] 01/02: Improved: better message for host-headers-allowed

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 0e3b1c7a49b2192cd11347e7f4efe00fbacd64e4
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sat Jul 11 09:54:18 2020 +0200

    Improved: better message for host-headers-allowed
    
    Adds an explanation about what to do when using own domain.
    
    Some users don't look into the log so it's better to set also the exception
    message in order for them to have it right at 1st glance.
---
 .../main/java/org/apache/ofbiz/webapp/control/RequestHandler.java   | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index 52fa77f..44bd79b 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -127,8 +127,10 @@ public class RequestHandler {
             GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {
 
         if (!hostHeadersAllowed.contains(request.getServerName())) {
-            Debug.logError("Domain " + request.getServerName() + " not accepted to prevent host header injection ", module);
-            throw new RequestHandlerException("Domain " + request.getServerName() + " not accepted to prevent host header injection ");
+            Debug.logError("Domain " + request.getServerName() + " not accepted to prevent host header injection."
+                    + " You need to set host-headers-allowed property in security.properties file.", MODULE);
+            throw new RequestHandlerException("Domain " + request.getServerName() + " not accepted to prevent host header injection."
+                    + " You need to set host-headers-allowed property in security.properties file.");
         }
                 
         final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(