* Fix: Improve allowedHostnames .env configuration and fail-fast in production
Addresses GitHub issue #4480: .env app.allowedHostnames does not work as intended
## Problem
- CodeIgniter 4 cannot override array properties from .env
- Setting app.allowedHostnames.0, app.allowedHostnames.1 did NOT populate the array
- Application always fell back to 'localhost' silently in production
- Host header injection protection was effectively disabled
## Solution
1. Support comma-separated .env values: app.allowedHostnames = 'domain1.com,domain2.com'
2. Fail explicitly in production if not configured (throws RuntimeException)
3. Allow localhost fallback in development/testing with ERROR-level logging
4. Update documentation with clear setup instructions
## Changes
- app/Config/App.php: Parse comma-separated .env values, fail in production
- .env.example: Update format documentation
- INSTALL.md: Add prominent security section
- tests/Config/AppTest.php: Comprehensive tests for new behavior
Fixes#4480
Related: GHSA-jchf-7hr6-h4f3
---------
Co-authored-by: Ollama <ollama@steganos.dev>
Security: Prevent Host Header Injection attacks by validating HTTP_HOST
against a whitelist of allowed hostnames before constructing the baseURL.
Changes:
- Add getValidHost() method to validate HTTP_HOST against allowedHostnames
- If allowedHostnames is empty, log warning and fall back to 'localhost'
- If host not in whitelist, log warning and use first allowed hostname
- Update .env.example with allowedHostnames documentation
- Add security configuration section to INSTALL.md
- Add unit tests for host validation
This addresses the security advisory where the application constructed
baseURL from the attacker-controllable HTTP_HOST header, allowing:
- Login form phishing via manipulated form actions
- Cache poisoning via poisoned asset URLs
Fixes GHSA-jchf-7hr6-h4f3
* Improve code style and PSR-12 compliance
- refactored code formatting to adhere to PSR-12 guidelines
- standardized coding conventions across the codebase
- added missing framework files and reverted markup changes
- reformatted arrays for enhanced readability
- updated language files for consistent styling and clarity
- minor miscellaneous improvements
- Added TODO
- Copied directives from .htaccess to the ContentSecurityPolicy.php config file.
- Left CSPEnabled set to false in App.php because there is currently no CSP3 support in CI4
- Added `img-src blob:` To Content-Security-Policy header to remove error.
Signed-off-by: objecttothis <objecttothis@gmail.com>
- Corrected syntax to allow all 8.x versions of PHP in composer.json
- Bumped CodeIgniter from 4.4.3 to 4.4.5
- Bumped Code from 4.4.3 format to 4.4.4 format
- Added types to config.
- Added formatting to DB_log messages
- Corrected bug referencing non-existent OSPOS config property timezone
- set the date_default_timezone to the php-specified default when timezone is not set in the app rather than 'America/New York'
- Added TODO indicating problem.
- Now if queries run for longer than 0.5 s, a tag will be appended to the log [LONG RUNNING QUERY]
- If app.db_log_only_long is set to true in the .env file, the db log will only show long running queries.
- Bump composer.json/lock to codeigniter 4.4.3
- Fix base_url() call without arguments
- Updated files in the project space
- Bump composer.json/lock to kint 5.0.4
- Update composer.json to include missing CI elements
- Corrected composer.json regarding minimum versions
- Updated README.md to reflect CI4 implementation
- Migrated some Routes.php to Routing.php
- Removed deprecated settings from Config/App.php
