Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EnsureFrontendRequestsAreStateful::fromFrontend() does not extract host from referer #150

Closed
plai2010 opened this issue Jun 3, 2020 · 2 comments · Fixed by #155
Closed

EnsureFrontendRequestsAreStateful::fromFrontend() does not extract host from referer #150

plai2010 opened this issue Jun 3, 2020 · 2 comments · Fixed by #155
Assignees
@taylorotwell
Labels
bug

Comments

@plai2010
Copy link

plai2010 commented Jun 3, 2020

  • Sanctum Version: 2.3.3
  • Laravel Version: 7.13.0
  • PHP Version: 7.2.24
  • Database Driver & Version:

Description:

The 'sanctum.stateful' configuration (by default SANCTUM_STATEFUL_DOMAINS in .env) specifies a list of hosts/domains. However, EnsureFrontendRequestsAreStateful::fromFrontend() uses HTTP referer with "http://" and "https://" removed to match against the list. This can yield incorrect result.

Steps To Reproduce:

False positive:

  1. Set SANCTUM_STATEFUL_DOMAINS="example.com".
  2. Access from "example.com.jp"; fromFrontend() accepts that.

False negative:

  1. Set SANCTUM_STATEFUL_DOMAINS="*.example.com".
  2. Access with HTTP referer "http://foobar.example.com/"; fromFrontend() rejects that (note ending '/' in referer).
@driesvints driesvints added the bug label Jun 4, 2020
@driesvints
Copy link
Member

That indeed seems problematic.

Ping @taylorotwell

@RahulDey12 RahulDey12 mentioned this issue Jun 7, 2020
Merged
@RahulDey12
Copy link
Contributor

I've added a PR regarding this problem

@RahulDey12 RahulDey12 mentioned this issue Jun 10, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@taylorotwell taylorotwell

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[2.x] Fixed Host Problem
4 participants
@taylorotwell @driesvints @plai2010 @RahulDey12