[
https://issues.apache.org/jira/browse/OFBIZ-11588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17236290#comment-17236290 ]
Daniel Watford commented on OFBIZ-11588:
----------------------------------------
Hi [~jleroux].
If we merge the PR as currently written, the host-headers-allowed property in security.properties will no longer contain the names of the demo environment hosts. If names of the hosts are not included in the security.properties file in the demo environments then users accessing these environments will receive the error:
{quote}org.apache.ofbiz.webapp.control.RequestHandlerException: Domain ofbiz.example.com not accepted to prevent host header injection. You need to set host-headers-allowed property in security.properties file.
{quote}
Hence my question about the location of the deployment scripts for the demo environments so that they can be updated to ensure the host-headers-allowed property is set appropriately. It may be the case that this is already taken care of, I just don't know where to look to check.
> Have 'host-headers-allowed' validation for all local headers
> ------------------------------------------------------------
>
> Key: OFBIZ-11588
> URL:
https://issues.apache.org/jira/browse/OFBIZ-11588> Project: OFBiz
> Issue Type: Improvement
> Components: framework/security
> Affects Versions: Trunk
> Reporter: Pierre Smits
> Assignee: Pierre Smits
> Priority: Major
> Labels: CSRF, security
>
> The ip address 0.0.0.0 is missing from the list.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
