Contrib.social

what many application developers do not realize is that the HTTP host header is controlled by the user. In application security user input should always be considered unsafe and therefore, never trusted without properly validating it first.

Open on Drupal.org โ†’
Created on 23 July 2024, 4 months ago

Problem/Motivation

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

๐Ÿ’ฌ Support request
Status

Active

Version

11.0 ๐Ÿ”ฅ

Component

php.module

Created by

๐Ÿ‡ฎ๐Ÿ‡ณIndia vivek_tiwari

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @vivek_tiwari
  • Status changed to Postponed: needs info 4 months ago
  • Comment 4 months ago โ†’
    cilefen

    Thanks for that information. The PHP module doesn't exist in Drupal Core since version 8. As there doesn't seem to be anything actionable here, I am postponing this. If this is about adding some developer documentation you will have to explain that.

    Report security bugs โ†’ in the proper place, which is not here.

  • Comment 4 months ago โ†’
    ๐Ÿ‡ฆ๐Ÿ‡บAustralia larowlan ๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ.au GMT+10

    The trusted hosts setting in settings.PHP allow lists valid hosts

  • Comment 4 months ago โ†’
    ๐Ÿ‡ณ๐Ÿ‡ฟNew Zealand quietone

    Changes are made on on 11.x (our main development branch) first, and are then back ported as needed according to our policies.

  • Status changed to Closed: works as designed about 1 month ago
  • Comment about 1 month ago โ†’
    ๐Ÿ‡ณ๐Ÿ‡ฟNew Zealand quietone

    Like #2, I do not see anything actionable here and there has been no further comment about that. And, since we have a response from a security team member, I am going to close this issue.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024