Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warn developers if SS_ALLOWED_HOSTS has not been set #11610

Closed
5 of 6 tasks
GuySartorelli opened this issue Feb 12, 2025 · 1 comment
Closed
5 of 6 tasks

Warn developers if SS_ALLOWED_HOSTS has not been set #11610

GuySartorelli opened this issue Feb 12, 2025 · 1 comment
Assignees
@emteknetnz
Labels
affects/v5 type/enhancement

Comments

@GuySartorelli
Copy link
Member

GuySartorelli commented Feb 12, 2025
edited
Loading

Our documentation advises developers that setting SS_ALLOWED_HOSTS helps to protect against host header injection attacks if their webhost doesn't shield them from it.

This is a standard approach to this problem - see Drupal and Symfony documentation.

Regardless, it has come to light that there are many websites running Silverstripe CMS which do not have adequate protection at a webhost level, and have also not set the SS_ALLOWED_HOSTS, and therefore the project is susceptible to host header injection attacks.

Important

This is not a vulnerability in Silverstripe CMS itself - Silverstripe CMS has no way of knowing what hosts are valid unless the developers tell it. In a well configured hosting environment, the host header will be validated by the web server (e.g. via apache virtual hosts) prior to being sent to the Silverstripe CMS application.

To help raise awareness to developers, we've decided to log a warning if SS_ALLOWED_HOSTS is not set.

Notes

  • The most sensible place to add this is probably somewhere in BaseKernel either during boot (e.g. at the end of bootConfig() or in BaseKernel::activate().
  • This needs to happen after config manifests have finished loading, so that it gets sent to the project's configured logging handler.

Acceptance criteria

  • If the SS_ALLOWED_HOSTS is not set, a warning is logged using the default logger service
  • Logging happens in all env modes (dev/test/live) and in both CLI and HTTP contexts
  • There is a way to explicitly disable the warning (e.g. set SS_ALLOWED_HOSTS to "*")
  • YML configuration is added to allow for configuring allowed hosts in scenarios where env variables cannot be easily modified. If both are present then env variable has precedence
  • Do not add a bool configure to disable check - developers should instead set the allowed_hosts yml to *.
  • Review existing documentation around SS_ALLOWED_HOSTS

PRs
@GuySartorelli GuySartorelli self-assigned this Feb 12, 2025
@GuySartorelli
Copy link
Member Author

It turns out there's already a way to configure allowed hosts via YAML - I'm not going to modify how that works.

This was referenced Feb 13, 2025
Merged
Merged
@GuySartorelli GuySartorelli removed their assignment Feb 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emteknetnz emteknetnz

Labels
affects/v5 type/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@emteknetnz @GuySartorelli