You are here

Home » API reference » Domain Access 8 » DomainRedirectResponse.php » DomainRedirectResponse

public static function DomainRedirectResponse::checkTrustedHost in Domain Access 8

Checks that a host is registered with trusted_host_patterns.

This method is cribbed from Symfony's Request::getHost() method.

Parameters

string $host: The hostname to check.

Return value

bool TRUE if the hostname matches the trusted_host_patterns. FALSE otherwise. It is the caller's responsibility to deal with this result securely.

3 calls to DomainRedirectResponse::checkTrustedHost()
DomainRedirectResponse::externalIsRegistered in domain/src/DomainRedirectResponse.php
Determines if an external URL points to this domain-aware installation.
DomainSubscriber::onKernelRequestDomain in domain/src/EventSubscriber/DomainSubscriber.php
Sets the domain context of the request.
domain_source_form_submit in domain_source/domain_source.module
Redirect form submissions to other domains.

File

domain/src/DomainRedirectResponse.php, line 144

Class

DomainRedirectResponse
A redirect response which understands domain URLs are local to the install.

Namespace

Drupal\domain

Code

public static function checkTrustedHost($host) {

  // See Request::setTrustedHosts();
  if (!isset(self::$trustedHostPatterns)) {
    self::$trustedHostPatterns = array_map(function ($hostPattern) {
      return sprintf('#%s#i', $hostPattern);
    }, Settings::get('trusted_host_patterns', []));

    // Reset the trusted host match array.
    self::$trustedHosts = [];
  }

  // Trim and remove port number from host. Host is lowercase as per RFC
  // 952/2181.
  $host = mb_strtolower(preg_replace('/:\\d+$/', '', trim($host)));

  // In the original Symfony code, hostname validation runs here. We have
  // removed that portion because Domains are already validated on creation.
  if (count(self::$trustedHostPatterns) > 0) {

    // To avoid host header injection attacks, you should provide a list of
    // trusted host patterns.
    if (in_array($host, self::$trustedHosts)) {
      return TRUE;
    }
    foreach (self::$trustedHostPatterns as $pattern) {
      if (preg_match($pattern, $host)) {
        self::$trustedHosts[] = $host;
        return TRUE;
      }
    }
    return FALSE;
  }

  // In cases where trusted_host_patterns are not set, allow all. This is
  // flagged as a security issue by Drupal core in the Reports UI.
  return TRUE;
}