mirror/opensourcepos
1
0
Fork 0
mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-03-25 18:32:17 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
24b2825b31ea2361ab953e748204dedf447ef535
opensourcepos/tests/Config
History
Ollama 7cb1d95da7 Fix: Host Header Injection vulnerability (GHSA-jchf-7hr6-h4f3) 
Security: Prevent Host Header Injection attacks by validating HTTP_HOST
against a whitelist of allowed hostnames before constructing the baseURL.

Changes:
- Add getValidHost() method to validate HTTP_HOST against allowedHostnames
- If allowedHostnames is empty, log warning and fall back to 'localhost'
- If host not in whitelist, log warning and use first allowed hostname
- Update .env.example with allowedHostnames documentation
- Add security configuration section to INSTALL.md
- Add unit tests for host validation

This addresses the security advisory where the application constructed
baseURL from the attacker-controllable HTTP_HOST header, allowing:
- Login form phishing via manipulated form actions
- Cache poisoning via poisoned asset URLs

Fixes GHSA-jchf-7hr6-h4f3
2026-03-14 15:34:21 +00:00
..
AppTest.php
Fix: Host Header Injection vulnerability (GHSA-jchf-7hr6-h4f3)
2026-03-14 15:34:21 +00:00