[ofbiz-framework] 01/03: Improved: better message for host-headers-allowed

Sat, 11 Jul 2020 00:59:14 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit c70fa51ae74abf225a4c006523bc56ec07205d84
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Jul 11 09:30:59 2020 +0200

    Improved: better message for host-headers-allowed
    
    Adds an explanation about what to do when using own domain.
    
    Some users don't look into the log so it's better to set also the exception
    message in order for them to have it right at 1st glance.
    
    Conflicts handled in webapp/control/RequestHandler.java
---
 framework/security/config/security.properties                       | 2 +-
 .../main/java/org/apache/ofbiz/webapp/control/RequestHandler.java   | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index fa64fa5..8992fa1 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -154,7 +154,7 @@ security.token.key=security.token.key
 
 # -- List of domains or IP addresses to be checked to prevent Host Header 
Injection, 
 # -- no spaces after commas,no wildcard, can be extended of course...
-host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
+host-headers-allowed=127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
 
 # -- By default the SameSite value in SameSiteFilter is strict. This allows to 
change it to lax if needed  
 SameSiteCookieAttribute=
diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index 41b5d44..fe5ff7a 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -240,8 +240,10 @@ public class RequestHandler {
             GenericValue userLogin, Delegator delegator) throws 
RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {
 
         if (!hostHeadersAllowed.contains(request.getServerName())) {
-            Debug.logError("Domain " + request.getServerName() + " not 
accepted to prevent host header injection ", module);
-            throw new RequestHandlerException("Domain " + 
request.getServerName() + " not accepted to prevent host header injection ");
+            Debug.logError("Domain " + request.getServerName() + " not 
accepted to prevent host header injection."
+                    + " You need to set host-headers-allowed property in 
security.properties file.", MODULE);
+            throw new RequestHandlerException("Domain " + 
request.getServerName() + " not accepted to prevent host header injection."
+                    + " You need to set host-headers-allowed property in 
security.properties file.");
         }
                 
         final boolean throwRequestHandlerExceptionOnMissingLocalRequest = 
EntityUtilProperties.propertyValueEqualsIgnoreCase(

Reply via email to