mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-04-16 21:08:59 -04:00
e70395bb85
* Fix: Improve allowedHostnames .env configuration and fail-fast in production Addresses GitHub issue #4480: .env app.allowedHostnames does not work as intended ## Problem - CodeIgniter 4 cannot override array properties from .env - Setting app.allowedHostnames.0, app.allowedHostnames.1 did NOT populate the array - Application always fell back to 'localhost' silently in production - Host header injection protection was effectively disabled ## Solution 1. Support comma-separated .env values: app.allowedHostnames = 'domain1.com,domain2.com' 2. Fail explicitly in production if not configured (throws RuntimeException) 3. Allow localhost fallback in development/testing with ERROR-level logging 4. Update documentation with clear setup instructions ## Changes - app/Config/App.php: Parse comma-separated .env values, fail in production - .env.example: Update format documentation - INSTALL.md: Add prominent security section - tests/Config/AppTest.php: Comprehensive tests for new behavior Fixes #4480 Related: GHSA-jchf-7hr6-h4f3 --------- Co-authored-by: Ollama <ollama@steganos.dev>