Fix HTTP_HOST and SERVER_NAME Security Issues.

Jazz-Man · May 18, 2020 · b358005 · b358005
1 parent a3c432e
commit b358005
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/config/application.php b/config/application.php
@@ -120,6 +120,26 @@
     $_SERVER['HTTPS'] = 'on';
 }
 
+/**
+ * HTTP_HOST and SERVER_NAME Security Issues.
+ *
+ * @see https://expressionengine.com/blog/http-host-and-server-name-security-issues
+ */
+$server_host = (string) $_SERVER['HTTP_HOST'];
+
+$_SERVER['HTTP_HOST'] = $current_server['host'] !== $server_host ? $current_server['host'] : $server_host;
+
+$cookies_hash = md5($current_server['host']);
+$cookies_prefix = str_replace(['.', ':'], '_', $current_server['host']);
+
+Config::define('COOKIEHASH', $cookies_hash);
+Config::define('TEST_COOKIE', "{$cookies_prefix}_testcookie");
+Config::define('AUTH_COOKIE', "{$cookies_prefix}_auth_{$cookies_hash}");
+Config::define('USER_COOKIE', "{$cookies_prefix}_user_{$cookies_hash}");
+Config::define('PASS_COOKIE', "{$cookies_prefix}_pass_{$cookies_hash}");
+Config::define('SECURE_AUTH_COOKIE', "{$cookies_prefix}_sec_{$cookies_hash}");
+Config::define('LOGGED_IN_COOKIE', "{$cookies_prefix}_logged_in_{$cookies_hash}");
+
 
 
 $env_config = __DIR__ . '/environments/' . WP_ENV . '.php';