Page MenuHomePhorge
Files F117893408

D4680.1775367429.diff
No OneTemporary
Actions

Authored By
Unknown
Size
2 KB
Referenced Files
None
Subscribers
None

D4680.1775367429.diff
View Options

diff --git a/src/app/Http/Kernel.php b/src/app/Http/Kernel.php
--- a/src/app/Http/Kernel.php
+++ b/src/app/Http/Kernel.php
@@ -71,6 +71,7 @@
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
'scopes' => \Laravel\Passport\Http\Middleware\CheckScopes::class,
'scope' => \Laravel\Passport\Http\Middleware\CheckForAnyScope::class,
+ 'allowedHosts' => \App\Http\Middleware\AllowedHosts::class,
];
/**
diff --git a/src/app/Http/Middleware/AllowedHosts.php b/src/app/Http/Middleware/AllowedHosts.php
new file mode 100644
--- /dev/null
+++ b/src/app/Http/Middleware/AllowedHosts.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class AllowedHosts
+{
+ /**
+ * Handle an incoming request.
+ *
+ * @param \Illuminate\Http\Request $request
+ * @param \Closure $next
+ * @param array|string $hosts
+ *
+ * @return mixed
+ */
+ public function handle($request, Closure $next)
+ {
+ $allowedDomains = \config('app.services_allowed_domains');
+ if (!in_array(request()->getHost(), $allowedDomains)) {
+ return abort(404);
+ }
+ return $next($request);
+ }
+}
diff --git a/src/config/app.php b/src/config/app.php
--- a/src/config/app.php
+++ b/src/config/app.php
@@ -85,10 +85,17 @@
'website_domain' => env('APP_WEBSITE_DOMAIN', env('APP_DOMAIN', 'domain.tld')),
- 'services_domain' => env(
- 'APP_SERVICES_DOMAIN',
- "services." . env('APP_WEBSITE_DOMAIN', env('APP_DOMAIN', 'domain.tld'))
- ),
+ // Restrict over which domains the services paths can be accessed.
+ 'services_allowed_domains' => explode(',', env(
+ 'APP_SERVICES_ALLOWED_DOMAINS',
+ "webapp,kolab," . env(
+ 'APP_SERVICES_DOMAIN',
+ "services." . env(
+ 'APP_WEBSITE_DOMAIN',
+ env('APP_DOMAIN', 'domain.tld')
+ )
+ )
+ )),
/*
|--------------------------------------------------------------------------
diff --git a/src/routes/api.php b/src/routes/api.php
--- a/src/routes/api.php
+++ b/src/routes/api.php
@@ -207,7 +207,7 @@
if (\config('app.with_services')) {
Route::group(
[
- 'domain' => \config('app.services_domain'),
+ 'middleware' => ['allowedHosts'],
'prefix' => 'webhooks'
],
function () {

File Metadata

Mime Type
text/plain
Expires
Sun, Apr 5, 5:37 AM (12 h, 11 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
18832508
Default Alt Text
D4680.1775367429.diff (2 KB)

Event Timeline