mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-03-25 10:21:36 -04:00
7cb1d95da7
Security: Prevent Host Header Injection attacks by validating HTTP_HOST against a whitelist of allowed hostnames before constructing the baseURL. Changes: - Add getValidHost() method to validate HTTP_HOST against allowedHostnames - If allowedHostnames is empty, log warning and fall back to 'localhost' - If host not in whitelist, log warning and use first allowed hostname - Update .env.example with allowedHostnames documentation - Add security configuration section to INSTALL.md - Add unit tests for host validation This addresses the security advisory where the application constructed baseURL from the attacker-controllable HTTP_HOST header, allowing: - Login form phishing via manipulated form actions - Cache poisoning via poisoned asset URLs Fixes GHSA-jchf-7hr6-h4f3
93 lines
3.3 KiB
Plaintext
93 lines
3.3 KiB
Plaintext
#--------------------------------------------------------------------
|
|
# ENVIRONMENT
|
|
#--------------------------------------------------------------------
|
|
|
|
CI_ENVIRONMENT = production
|
|
|
|
#--------------------------------------------------------------------
|
|
# SECURITY: ALLOWED HOSTNAMES
|
|
#--------------------------------------------------------------------
|
|
# IMPORTANT: Whitelist of allowed hostnames to prevent Host Header
|
|
# Injection attacks (GHSA-jchf-7hr6-h4f3).
|
|
#
|
|
# If not configured, the application will default to 'localhost',
|
|
# which may break functionality in production.
|
|
#
|
|
# Configure this with all domains/subdomains that host your application:
|
|
# - Primary domain
|
|
# - WWW subdomain (if used)
|
|
# - Any alternative domains
|
|
#
|
|
# Examples:
|
|
# Single domain:
|
|
# app.allowedHostnames.0 = 'example.com'
|
|
#
|
|
# Multiple domains:
|
|
# app.allowedHostnames.0 = 'example.com'
|
|
# app.allowedHostnames.1 = 'www.example.com'
|
|
# app.allowedHostnames.2 = 'demo.opensourcepos.org'
|
|
#
|
|
# For localhost development:
|
|
# app.allowedHostnames.0 = 'localhost'
|
|
#
|
|
# Note: Do not include the protocol (http/https) or port number.
|
|
#app.allowedHostnames.0 = ''
|
|
|
|
#--------------------------------------------------------------------
|
|
# DATABASE
|
|
#--------------------------------------------------------------------
|
|
|
|
database.default.hostname = 'localhost'
|
|
database.default.database = 'ospos'
|
|
database.default.username = 'admin'
|
|
database.default.password = 'pointofsale'
|
|
database.default.DBDriver = 'MySQLi'
|
|
database.default.DBPrefix = 'ospos_'
|
|
|
|
database.development.hostname = 'localhost'
|
|
database.development.database = 'ospos'
|
|
database.development.username = 'admin'
|
|
database.development.password = 'pointofsale'
|
|
database.development.DBDriver = 'MySQLi'
|
|
database.development.DBPrefix = 'ospos_'
|
|
|
|
database.tests.hostname = 'localhost'
|
|
database.tests.database = 'ospos'
|
|
database.tests.username = 'admin'
|
|
database.tests.password = 'pointofsale'
|
|
database.tests.DBDriver = 'MySQLi'
|
|
database.tests.DBPrefix = 'ospos_'
|
|
|
|
#--------------------------------------------------------------------
|
|
# ENCRYPTION
|
|
#--------------------------------------------------------------------
|
|
|
|
encryption.key = ''
|
|
|
|
#--------------------------------------------------------------------
|
|
# LOGGER
|
|
# - 0 = Disables logging, Error logging TURNED OFF
|
|
# - 1 = Emergency Messages - System is unusable
|
|
# - 2 = Alert Messages - Action Must Be Taken Immediately
|
|
# - 3 = Critical Messages - Application component unavailable, unexpected exception.
|
|
# - 4 = Runtime Errors - Don't need immediate action, but should be monitored.
|
|
# - 5 = Warnings - Exceptional occurrences that are not errors.
|
|
# - 6 = Notices - Normal but significant events.
|
|
# - 7 = Info - Interesting events, like user logging in, etc.
|
|
# - 8 = Debug - Detailed debug information.
|
|
# - 9 = All Messages
|
|
#--------------------------------------------------------------------
|
|
|
|
logger.threshold = 0
|
|
app.db_log_enabled = false
|
|
|
|
#--------------------------------------------------------------------
|
|
# HONEYPOT
|
|
#--------------------------------------------------------------------
|
|
|
|
honeypot.hidden = true
|
|
honeypot.label = 'Fill This Field'
|
|
honeypot.name = 'honeypot'
|
|
honeypot.template = '<label>{label}</label><input type="text" name="{name}" value="">'
|
|
honeypot.container = '<div style="display:none">{template}</div>'
|