Kezdőlap Felfedezés Súgó
Bejelentkezés
lewaimai
/
YII2.0
Figyelés 1
Kedvenc 0
Másolás 0
Fájlok Problémák 0 Beolvasztási kérések 0 Wiki
Fa: f3ea021007
Branch-ok Tag-ek
YII2.0
/
framework
/
filters
/
HostControl.php

HostControl.php 5.7 KB
Előzmények Nyers

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185 
  1. <?php
    2. 

  2. /**
    3. 

  3.  * @link http://www.yiiframework.com/
    4. 

  4.  * @copyright Copyright (c) 2008 Yii Software LLC
    5. 

  5.  * @license http://www.yiiframework.com/license/
    6. 

  6.  */
    7. 

  7. 

  8. namespace yii\filters;
    9. 

  9. 

  10. use Yii;
    11. 

  11. use yii\base\ActionFilter;
    12. 

  12. use yii\helpers\StringHelper;
    13. 

  13. use yii\web\NotFoundHttpException;
    14. 

  14. 

  15. /**
    16. 

  16.  * HostControl provides simple control over requested host name.
    17. 

  17.  *
    18. 

  18.  * This filter provides protection against ['host header' attacks](https://www.acunetix.com/vulnerabilities/web/host-header-attack),
    19. 

  19.  * allowing action execution only for specified host names.
    20. 

  20.  *
    21. 

  21.  * Application configuration example:
    22. 

  22.  *
    23. 

  23.  * ```php
    24. 

  24.  * return [
    25. 

  25.  *     'as hostControl' => [
    26. 

  26.  *         'class' => 'yii\filters\HostControl',
    27. 

  27.  *         'allowedHosts' => [
    28. 

  28.  *             'example.com',
    29. 

  29.  *             '*.example.com',
    30. 

  30.  *         ],
    31. 

  31.  *     ],
    32. 

  32.  *     // ...
    33. 

  33.  * ];
    34. 

  34.  * ```
    35. 

  35.  *
    36. 

  36.  * Controller configuration example:
    37. 

  37.  *
    38. 

  38.  * ```php
    39. 

  39.  * use yii\web\Controller;
    40. 

  40.  * use yii\filters\HostControl;
    41. 

  41.  *
    42. 

  42.  * class SiteController extends Controller
    43. 

  43.  * {
    44. 

  44.  *     public function behaviors()
    45. 

  45.  *     {
    46. 

  46.  *         return [
    47. 

  47.  *             'hostControl' => [
    48. 

  48.  *                 'class' => HostControl::className(),
    49. 

  49.  *                 'allowedHosts' => [
    50. 

  50.  *                     'example.com',
    51. 

  51.  *                     '*.example.com',
    52. 

  52.  *                 ],
    53. 

  53.  *             ],
    54. 

  54.  *         ];
    55. 

  55.  *     }
    56. 

  56.  *
    57. 

  57.  *     // ...
    58. 

  58.  * }
    59. 

  59.  * ```
    60. 

  60.  *
    61. 

  61.  * > Note: the best way to restrict allowed host names is usage of the web server 'virtual hosts' configuration.
    62. 

  62.  * This filter should be used only if this configuration is not available or compromised.
    63. 

  63.  *
    64. 

  64.  * @author Paul Klimov <klimov.paul@gmail.com>
    65. 

  65.  * @since 2.0.11
    66. 

  66.  */
    67. 

  67. class HostControl extends ActionFilter
    68. 

  68. {
    69. 

  69.     /**
    70. 

  70.      * @var array|\Closure|null list of host names, which are allowed.
    71. 

  71.      * Each host can be specified as a wildcard pattern. For example:
    72. 

  72.      *
    73. 

  73.      * ```php
    74. 

  74.      * [
    75. 

  75.      *     'example.com',
    76. 

  76.      *     '*.example.com',
    77. 

  77.      * ]
    78. 

  78.      * ```
    79. 

  79.      *
    80. 

  80.      * This field can be specified as a PHP callback of following signature:
    81. 

  81.      *
    82. 

  82.      * ```php
    83. 

  83.      * function (\yii\base\Action $action) {
    84. 

  84.      *     //return array of strings
    85. 

  85.      * }
    86. 

  86.      * ```
    87. 

  87.      *
    88. 

  88.      * where `$action` is the current [[\yii\base\Action|action]] object.
    89. 

  89.      *
    90. 

  90.      * If this field is not set - no host name check will be performed.
    91. 

  91.      */
    92. 

  92.     public $allowedHosts;
    93. 

  93.     /**
    94. 

  94.      * @var callable a callback that will be called if the current host does not match [[allowedHosts]].
    95. 

  95.      * If not set, [[denyAccess()]] will be called.
    96. 

  96.      *
    97. 

  97.      * The signature of the callback should be as follows:
    98. 

  98.      *
    99. 

  99.      * ```php
    100. 

  100.      * function (\yii\base\Action $action)
    101. 

  101.      * ```
    102. 

  102.      *
    103. 

  103.      * where `$action` is the current [[\yii\base\Action|action]] object.
    104. 

  104.      *
    105. 

  105.      * > Note: while implementing your own host deny processing, make sure you avoid usage of the current requested
    106. 

  106.      * host name, creation of absolute URL links, caching page parts and so on.
    107. 

  107.      */
    108. 

  108.     public $denyCallback;
    109. 

  109.     /**
    110. 

  110.      * @var string|null fallback host info (e.g. `http://www.yiiframework.com`) used when [[\yii\web\Request::$hostInfo|Request::$hostInfo]] is invalid.
    111. 

  111.      * This value will replace [[\yii\web\Request::$hostInfo|Request::$hostInfo]] before [[$denyCallback]] is called to make sure that
    112. 

  112.      * an invalid host will not be used for further processing. You can set it to `null` to leave [[\yii\web\Request::$hostInfo|Request::$hostInfo]] untouched.
    113. 

  113.      * Default value is empty string (this will result creating relative URLs instead of absolute).
    114. 

  114.      * @see \yii\web\Request::getHostInfo()
    115. 

  115.      */
    116. 

  116.     public $fallbackHostInfo = '';
    117. 

  117. 

  118. 

  119.     /**
    120. 

  120.      * {@inheritdoc}
    121. 

  121.      */
    122. 

  122.     public function beforeAction($action)
    123. 

  123.     {
    124. 

  124.         $allowedHosts = $this->allowedHosts;
    125. 

  125.         if ($allowedHosts instanceof \Closure) {
    126. 

  126.             $allowedHosts = call_user_func($allowedHosts, $action);
    127. 

  127.         }
    128. 

  128.         if ($allowedHosts === null) {
    129. 

  129.             return true;
    130. 

  130.         }
    131. 

  131. 

  132.         if (!is_array($allowedHosts) && !$allowedHosts instanceof \Traversable) {
    133. 

  133.             $allowedHosts = (array) $allowedHosts;
    134. 

  134.         }
    135. 

  135. 

  136.         $currentHost = Yii::$app->getRequest()->getHostName();
    137. 

  137. 

  138.         foreach ($allowedHosts as $allowedHost) {
    139. 

  139.             if (StringHelper::matchWildcard($allowedHost, $currentHost)) {
    140. 

  140.                 return true;
    141. 

  141.             }
    142. 

  142.         }
    143. 

  143. 

  144.         // replace invalid host info to prevent using it in further processing
    145. 

  145.         if ($this->fallbackHostInfo !== null) {
    146. 

  146.             Yii::$app->getRequest()->setHostInfo($this->fallbackHostInfo);
    147. 

  147.         }
    148. 

  148. 

  149.         if ($this->denyCallback !== null) {
    150. 

  150.             call_user_func($this->denyCallback, $action);
    151. 

  151.         } else {
    152. 

  152.             $this->denyAccess($action);
    153. 

  153.         }
    154. 

  154. 

  155.         return false;
    156. 

  156.     }
    157. 

  157. 

  158.     /**
    159. 

  159.      * Denies the access.
    160. 

  160.      * The default implementation will display 404 page right away, terminating the program execution.
    161. 

  161.      * You may override this method, creating your own deny access handler. While doing so, make sure you
    162. 

  162.      * avoid usage of the current requested host name, creation of absolute URL links, caching page parts and so on.
    163. 

  163.      * @param \yii\base\Action $action the action to be executed.
    164. 

  164.      * @throws NotFoundHttpException
    165. 

  165.      */
    166. 

  166.     protected function denyAccess($action)
    167. 

  167.     {
    168. 

  168.         $exception = new NotFoundHttpException(Yii::t('yii', 'Page not found.'));
    169. 

  169. 

  170.         // use regular error handling if $this->fallbackHostInfo was set
    171. 

  171.         if (!empty(Yii::$app->getRequest()->hostName)) {
    172. 

  172.             throw $exception;
    173. 

  173.         }
    174. 

  174. 

  175.         $response = Yii::$app->getResponse();
    176. 

  176.         $errorHandler = Yii::$app->getErrorHandler();
    177. 

  177. 

  178.         $response->setStatusCode($exception->statusCode, $exception->getMessage());
    179. 

  179.         $response->data = $errorHandler->renderFile($errorHandler->errorView, ['exception' => $exception]);
    180. 

  180.         $response->send();
    181. 

  181. 

  182.         Yii::$app->end();
    183. 

  183.     }
    184. 

  184. }
    185. 

  185.