Close #3292
diff --git a/application/config/config.php b/application/config/config.php
index f028565..675cb4f 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -47,11 +47,13 @@
|
| http://example.com/
|
-| If this is not set then CodeIgniter will guess the protocol, domain and
-| path to your installation.
+| If this is not set then CodeIgniter will try guess the protocol, domain
+| and path to your installation. However, you should always configure this
+| explicitly and never rely on auto-guessing, especially in production
+| environments.
|
*/
-$config['base_url'] = '';
+$config['base_url'] = '';
/*
|--------------------------------------------------------------------------
diff --git a/system/core/Config.php b/system/core/Config.php
index 02e6dd8..d8a606c 100644
--- a/system/core/Config.php
+++ b/system/core/Config.php
@@ -87,7 +87,9 @@
// Set the base_url automatically if none was provided
if (empty($this->config['base_url']))
{
- if (isset($_SERVER['HTTP_HOST']))
+ // The regular expression is only a basic validation for a valid "Host" header.
+ // It's not exhaustive, only checks for valid characters.
+ if (isset($_SERVER['HTTP_HOST']) && preg_match('/^((\[[0-9a-f:]+\])|(\d{1,3}(\.\d{1,3}){3})|[a-z0-9\-\.]+)(:\d+)?$/i', $_SERVER['HTTP_HOST']))
{
$base_url = (is_https() ? 'https' : 'http').'://'.$_SERVER['HTTP_HOST']
.substr($_SERVER['SCRIPT_NAME'], 0, strpos($_SERVER['SCRIPT_NAME'], basename($_SERVER['SCRIPT_FILENAME'])));
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index f57e244..909c3bc 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -503,6 +503,7 @@
- Removed internal method ``_assign_to_config()`` and moved its implementation to *CodeIgniter.php* instead.
- ``item()`` now returns NULL instead of FALSE when the required config item doesn't exist.
- Added an optional second parameter to both ``base_url()`` and ``site_url()`` that allows enforcing of a protocol different than the one in the *base_url* configuration setting.
+ - Added HTTP "Host" header character validation to prevent cache poisoning attacks when ``base_url`` auto-detection is used.
- :doc:`Security Library <libraries/security>` changes include:
diff --git a/user_guide_src/source/general/environments.rst b/user_guide_src/source/general/environments.rst
index d74ebb8..1ce4fde 100644
--- a/user_guide_src/source/general/environments.rst
+++ b/user_guide_src/source/general/environments.rst
@@ -20,7 +20,7 @@
This server variable can be set in your .htaccess file, or Apache
config using `SetEnv <https://httpd.apache.org/docs/2.2/mod/mod_env.html#setenv>`_.
Alternative methods are available for nginx and other servers, or you can
-remove this logic entirely and set the constant based on the HTTP_HOST or IP.
+remove this logic entirely and set the constant based on the server's IP address.
In addition to affecting some basic framework behavior (see the next
section), you may use this constant in your own development to