security::validated_host_header (public)

 security::validated_host_header

Defined in packages/acs-tcl/tcl/security-procs.tcl

Returns:
validated host header field or empty
Author:
Gustaf Neumann Protect against faked or invalid host header fields. Host header attacks can lead to web-cache poisoning and password reset attacks (for more details, see e.g. http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html) or to unintended redirects to different sites. The validated host header most be syntactically correct, and it must be either configured/white-listed or it must be from a non-routable IP address. White-listed hosts are taken from the alternate host names specified in the "ns/module/DRIVER/servers" section, or via the configuration variable "hostname" (e.g., "openacs.org www.openacs.org") which is added the the "/server" section during startup.

Partial Call Graph (max 5 caller/called nodes):
%3 util_current_location util_current_location (public) security::validated_host_header security::validated_host_header util_current_location->security::validated_host_header acs::icanuse acs::icanuse (public) security::validated_host_header->acs::icanuse ad_conn ad_conn (public) security::validated_host_header->ad_conn ad_url ad_url (public) security::validated_host_header->ad_url db_0or1row db_0or1row (public) security::validated_host_header->db_0or1row security::configured_driver_info security::configured_driver_info (public) security::validated_host_header->security::configured_driver_info

Testcases:
No testcase defined.
[ show source ]
Show another procedure: