Security: Prevent Host Header Injection attacks by validating HTTP_HOST
against a whitelist of allowed hostnames before constructing the baseURL.
Changes:
- Add getValidHost() method to validate HTTP_HOST against allowedHostnames
- If allowedHostnames is empty, log warning and fall back to 'localhost'
- If host not in whitelist, log warning and use first allowed hostname
- Update .env.example with allowedHostnames documentation
- Add security configuration section to INSTALL.md
- Add unit tests for host validation
This addresses the security advisory where the application constructed
baseURL from the attacker-controllable HTTP_HOST header, allowing:
- Login form phishing via manipulated form actions
- Cache poisoning via poisoned asset URLs
Fixes GHSA-jchf-7hr6-h4f3
* Improve code style and PSR-12 compliance
- refactored code formatting to adhere to PSR-12 guidelines
- standardized coding conventions across the codebase
- added missing framework files and reverted markup changes
- reformatted arrays for enhanced readability
- updated language files for consistent styling and clarity
- minor miscellaneous improvements
- Added TODO
- Copied directives from .htaccess to the ContentSecurityPolicy.php config file.
- Left CSPEnabled set to false in App.php because there is currently no CSP3 support in CI4
- Added `img-src blob:` To Content-Security-Policy header to remove error.
Signed-off-by: objecttothis <objecttothis@gmail.com>
- Corrected syntax to allow all 8.x versions of PHP in composer.json
- Bumped CodeIgniter from 4.4.3 to 4.4.5
- Bumped Code from 4.4.3 format to 4.4.4 format
- Added types to config.
- Added formatting to DB_log messages
- Corrected bug referencing non-existent OSPOS config property timezone
- set the date_default_timezone to the php-specified default when timezone is not set in the app rather than 'America/New York'
- Added TODO indicating problem.
- Now if queries run for longer than 0.5 s, a tag will be appended to the log [LONG RUNNING QUERY]
- If app.db_log_only_long is set to true in the .env file, the db log will only show long running queries.
- Bump composer.json/lock to codeigniter 4.4.3
- Fix base_url() call without arguments
- Updated files in the project space
- Bump composer.json/lock to kint 5.0.4
- Update composer.json to include missing CI elements
- Corrected composer.json regarding minimum versions
- Updated README.md to reflect CI4 implementation
- Migrated some Routes.php to Routing.php
- Removed deprecated settings from Config/App.php
