kenmirrors/firefly-iii
1
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-09-04 03:43:07 +00:00
Code Issues Projects Releases Wiki Activity

Add host header validation

Browse Source
This commit is contained in:
James Cole
2024-02-17 08:18:49 +01:00
parent b37b5b86d4
commit 997dc3814b
3 changed files with 23 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
app/Http/Controllers/Auth/ForgotPasswordController.php
View File

@@ -68,6 +68,9 @@ class ForgotPasswordController extends Controller
return view('error', compact('message'));
}
// validate host header.
$this->validateHost();
$this->validateEmail($request);
// verify if the user is not a demo user. If so, we give him back an error.
@@ -118,4 +121,19 @@ class ForgotPasswordController extends Controller
return view('auth.passwords.email')->with(compact('allowRegistration', 'pageTitle'));
}
/**
* @return void
* @throws FireflyException
*/
private function validateHost(): void {
$configuredHost = parse_url((string)config('app.url'), PHP_URL_HOST);
if(false === $configuredHost || null === $configuredHost) {
throw new FireflyException('Please set a valid and correct Firefly III URL in the APP_URL environment variable.');
}
$host = request()->host();
if($configuredHost !== $host) {
throw new FireflyException('The Host-header does not match the host in the APP_URL environment variable. Please make sure these match. See also: https://bit.ly/FF3-host-header');
}
}
}

4
app/Http/Controllers/Auth/ResetPasswordController.php
View File

@@ -80,6 +80,8 @@ class ResetPasswordController extends Controller
return view('error', compact('message'));
}
$rules = [
'token' => 'required',
'email' => 'required|email',
@@ -90,7 +92,7 @@ class ResetPasswordController extends Controller
// Here we will attempt to reset the user's password. If it is successful we
// will update the password on an actual user model and persist it to the
// database. Otherwise we will parse the error and return the response.
// database. Otherwise, we will parse the error and return the response.
$response = $this->broker()->reset(
$this->credentials($request),
function ($user, $password): void {