You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/07/11 07:58:46 UTC

[ofbiz-framework] 01/03: Improved: better message for host-headers-allowed

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit c70fa51ae74abf225a4c006523bc56ec07205d84
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sat Jul 11 09:30:59 2020 +0200

    Improved: better message for host-headers-allowed
    
    Adds an explanation about what to do when using own domain.
    
    Some users don't look into the log so it's better to set also the exception
    message in order for them to have it right at 1st glance.
    
    Conflicts handled in webapp/control/RequestHandler.java
---
 framework/security/config/security.properties                       | 2 +-
 .../main/java/org/apache/ofbiz/webapp/control/RequestHandler.java   | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index fa64fa5..8992fa1 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -154,7 +154,7 @@ security.token.key=security.token.key
 
 # -- List of domains or IP addresses to be checked to prevent Host Header Injection, 
 # -- no spaces after commas,no wildcard, can be extended of course...
-host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
+host-headers-allowed=127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
 
 # -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed  
 SameSiteCookieAttribute=
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index 41b5d44..fe5ff7a 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -240,8 +240,10 @@ public class RequestHandler {
             GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {
 
         if (!hostHeadersAllowed.contains(request.getServerName())) {
-            Debug.logError("Domain " + request.getServerName() + " not accepted to prevent host header injection ", module);
-            throw new RequestHandlerException("Domain " + request.getServerName() + " not accepted to prevent host header injection ");
+            Debug.logError("Domain " + request.getServerName() + " not accepted to prevent host header injection."
+                    + " You need to set host-headers-allowed property in security.properties file.", MODULE);
+            throw new RequestHandlerException("Domain " + request.getServerName() + " not accepted to prevent host header injection."
+                    + " You need to set host-headers-allowed property in security.properties file.");
         }
                 
         final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(