Page MenuHomePhorge
Files F117928075

D4680.1775457420.diff
No OneTemporary
Actions

Authored By
Unknown
Size
2 KB
Referenced Files
None
Subscribers
None

D4680.1775457420.diff
View Options

diff --git a/src/app/Http/Kernel.php b/src/app/Http/Kernel.php
--- a/src/app/Http/Kernel.php
+++ b/src/app/Http/Kernel.php
@@ -71,6 +71,7 @@
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
'scopes' => \Laravel\Passport\Http\Middleware\CheckScopes::class,
'scope' => \Laravel\Passport\Http\Middleware\CheckForAnyScope::class,
+ 'allowedHosts' => \App\Http\Middleware\AllowedHosts::class,
];
/**
diff --git a/src/app/Http/Middleware/AllowedHosts.php b/src/app/Http/Middleware/AllowedHosts.php
new file mode 100644
--- /dev/null
+++ b/src/app/Http/Middleware/AllowedHosts.php
@@ -0,0 +1,25 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class AllowedHosts
+{
+ /**
+ * Handle an incoming request.
+ *
+ * @param \Illuminate\Http\Request $request
+ * @param \Closure $next
+ * @param array|string $hosts
+ *
+ * @return mixed
+ */
+ public function handle($request, Closure $next, ...$hosts)
+ {
+ if (!in_array(request()->getHost(), $hosts)) {
+ return abort(404);
+ }
+ return $next($request);
+ }
+}
diff --git a/src/config/app.php b/src/config/app.php
--- a/src/config/app.php
+++ b/src/config/app.php
@@ -90,6 +90,12 @@
"services." . env('APP_WEBSITE_DOMAIN', env('APP_DOMAIN', 'domain.tld'))
),
+ // Restrict over which domains the services paths can be accessed.
+ 'services_allowed_domains' => env(
+ 'APP_SERVICES_ALLOWED_DOMAINS',
+ "webapp,kolab,services." . env('APP_WEBSITE_DOMAIN', env('APP_DOMAIN', 'domain.tld'))
+ ),
+
/*
|--------------------------------------------------------------------------
| Application Timezone
diff --git a/src/routes/api.php b/src/routes/api.php
--- a/src/routes/api.php
+++ b/src/routes/api.php
@@ -207,7 +207,7 @@
if (\config('app.with_services')) {
Route::group(
[
- 'domain' => \config('app.services_domain'),
+ 'middleware' => ['allowedHosts:' . \config('app.services_allowed_domains')],
'prefix' => 'webhooks'
],
function () {

File Metadata

Mime Type
text/plain
Expires
Mon, Apr 6, 6:37 AM (12 h, 20 m ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
18835928
Default Alt Text
D4680.1775457420.diff (2 KB)

Event Timeline