public/mailcow-dockerized
1
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2025-12-13 09:56:01 +00:00
Code Issues Releases Wiki Activity

[Web] Add validation for server_name against allow list

Browse Source
This commit is contained in:
FreddleSpl0it
2025-01-30 11:47:55 +01:00
parent 0ad327bbe5
commit a2e87e0880
2 changed files with 20 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
data/web/inc/functions.inc.php
View File

@@ -2275,9 +2275,25 @@ function cors($action, $data = null) {
break;
}
}
function getBaseURL() {
$protocol = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http';
$host = $_SERVER['SERVER_NAME'];
function getBaseURL($protocol = null) {
// Get current server name
$host = strtolower($_SERVER['SERVER_NAME']);
// craft allowed server name list
$mailcow_hostname = strtolower(getenv("MAILCOW_HOSTNAME"));
$additional_server_names = strtolower(getenv("ADDITIONAL_SERVER_NAMES")) ?: "";
$additional_server_names = preg_replace('/\s+/', '', $additional_server_names);
$allowed_server_names = $additional_server_names !== "" ? explode(',', $additional_server_names) : array();
array_push($allowed_server_names, $mailcow_hostname);
// Fallback to MAILCOW HOSTNAME if current server name is not in allowed list
if (!in_array($host, $allowed_server_names)) {
$host = $mailcow_hostname;
}
if (!isset($protocol)) {
$protocol = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http';
}
$base_url = $protocol . '://' . $host;
return $base_url;

1
docker-compose.yml
View File

@@ -174,6 +174,7 @@ services:
- DEMO_MODE=${DEMO_MODE:-n}
- WEBAUTHN_ONLY_TRUSTED_VENDORS=${WEBAUTHN_ONLY_TRUSTED_VENDORS:-n}
- CLUSTERMODE=${CLUSTERMODE:-}
- ADDITIONAL_SERVER_NAMES=${ADDITIONAL_SERVER_NAMES:-}
restart: always
networks:
mailcow-network: