Piwik config should contain a list of valid hosts (where the Piwik server resides) to either validate $_SERVER['HTTP_HOST'], or use in place of, when generating absolute URLs.
maybe we should do like Wordpress and require users to specify the piwik URL and never rely on HTTP_HOST ?
It's quite less user friendly to do so, but maybe useful?
Sure, we can make it configureable.
We can also set it initially using the URL at the time of installation, and/or the first website's URL.
(In ) refs #3080 - backend implementation of trusted_hosts validation; need front-end UI for runtime configuration
Well done vipsoft, excellent improvement! :)
Is there any other work appart from updating FAQ, to do before closing the ticket?
Is there any other work appart from updating FAQ?
(In ) Refs #3080
Specification for fixing this issue nicely:
Anytime in Piwik reports or admin
After the installation when using Piwik, when the Host is different from recorded PiwiK URL, display a yellow warning, that warns users about possible Host hijack, and link to edit the hostname (to make migration still easy for users).
You are now accessing Piwik from http://injected-host/path/piwik, but Piwik has been configured to run this address: <a>http://valid-host/path/piwik</a>.
(if user is super user) Piwik may be misconfigured (for example, if Piwik was recently migrated to a new server or URL). You can either Use $injected-host as the valid Piwik hostname, or go to $valid-host to access Piwik safely.
(if not super user) <a>Click to http://valid-host/path/piwik</a> to access Piwik safely and remove this warning. You may also contact your Piwik administrator and notify them about this warning (<a href="mailto:superuser@host?subject=Piwik Hostname Message at this URL URL: click">http://$injected-host/path/piwik">click here to email</a>).
New simple Admin UI
Allows Super user only to view & change valid Piwik hostname.
; List of trusted hosts (eg domain or subdomain names) when generating absolute URLs. ; ; Examples: ;trusted_hosts = example.com ;trusted_hosts = stats.example.com
add an installation test that curl's to http://127.0.0.1/piwik-path/some-static-resource
See also #3220
Increasing priority since it has security implications and will improve general safety.
I updated the spec at #3080
This is high priority for 1.9.1 Must do :)
(In ) Refs #3080, added trusted host admin UI, display warning in login, normal & admin screens if hostname is not trusted, and make sure password reset is not possible if hostname is not trusted.
My last commit does everything necessary for this ticket, only thing left is the FAQ entry and Learn more link. However, I added a description to the Trusted Hosts admin section, so maybe it's not needed anymore?
(In ) Fixes #3080, add config option to disable trusted_hosts check, tweak many translations, modify UI to display one input w/ a label if only one trusted host is set (or if there's an injected host), set trusted host to Host if no stored trusted hosts and user is superuser, and don't use regex to check host.
(In ) Refs #3080, get tests to pass and use previous regex code (w/ escaping) instead of forloop.
(In ) Refs #3080, fix regression in install process.
(In ) Refs #3080