New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[8.x] Uncomment TrustHosts middleware to enable it by default #5477
[8.x] Uncomment TrustHosts middleware to enable it by default #5477
Conversation
This is not included by default because it breaks multi-tenancy applications. It is also possible to mitigate this vulnerability by using secure nginx/apache/load balancer configuration that checks the For example:
|
@GrahamCampbell do you know if Laravel Forge adds this nginx config by default? |
I'm not sure. // cc @jbrooksuk |
@CaddyDz Forge is not vulnerable to this even when not using this middleware because Forge sites listen on a specific host. |
To @GrahamCampbell 's point: This will break multi-tenancy apps which use custom domains (subdomains of the Conversely, this vulnerability would affect all Laravel sites behind reverse proxies unless they explicitly set the Ultimately this comes down to priorities. I'm making a suggestion that we prioritize security for a large segment of users over convenience for a small segment of users. |
I put together a quick demo of the vulnerability for anyone who is having a hard time envisioning it: https://twitter.com/DCoulbourne/status/1331317933675581442 |
Do the majority of users do reverse proxies? If so, that is news to me.
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
Justin Lawrence, M.S.
Data Architect
1270 N. Loop 1604 East, STE 13, Suite 1306
SAN ANTONIO, TX 78232
210.778.5406
www.nationwidepharmaceutical.com
bridging the gap between the government and healthcare industry
one of the nation’s fastest-growing private companies for 2nd year in a row - Inc. 5000
From: Daniel Coulbourne <notifications@github.com>
Sent: Tuesday, November 24, 2020 11:51:49 AM
To: laravel/laravel <laravel@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Subject: Re: [laravel/laravel] [8.x] Uncomment TrustHosts middleware to enable it by default. (#5477)
To @GrahamCampbell<https://github.com/GrahamCampbell> 's point:
This will break multi-tenancy apps which use custom domains (subdomains of the APP_URL are explicitly supported by the default TrustHosts middleware). This sort of multi-tenancy scenario is pretty niche, and I don't think it's a big ask to make people remove one Middleware for that very specialized use-case.
Conversely, this vulnerability would affect all Laravel sites behind reverse proxies unless they explicitly set the X-Forwarded-Host header. This is not documented anywhere in the Laravel docs (because Laravel has no docs on setting up reverse proxies) and is an incredibly easy trap to fall into. I think we should prefer security-by-default for users who don't know everything to convenience-by-default for people building very specialized use-cases.
Ultimately this comes down to priorities. I'm making a suggestion that we prioritize security for a large segment of users over convenience for a small segment of users.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#5477 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKHCH7IFBQUPE65REMDY3XTSRPXDLANCNFSM4T77EORA>.
|
Nowhere near the majority, but many. |
Many thanks for raising awareness about this at the very least.
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
Justin Lawrence, M.S.
Data Architect
1270 N. Loop 1604 East, STE 13, Suite 1306
SAN ANTONIO, TX 78232
210.778.5406
www.nationwidepharmaceutical.com
bridging the gap between the government and healthcare industry
one of the nation’s fastest-growing private companies for 2nd year in a row - Inc. 5000
From: Daniel Coulbourne <notifications@github.com>
Sent: Tuesday, November 24, 2020 2:06:46 PM
To: laravel/laravel <laravel@noreply.github.com>
Cc: Justin Lawrence, M.S. <justin@nwp-mail.com>; Comment <comment@noreply.github.com>
Subject: Re: [laravel/laravel] [8.x] Uncomment TrustHosts middleware to enable it by default (#5477)
Nowhere near the majority, but many.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#5477 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKHCH7NTSKWVJAMVMTMRJG3SRQG5NANCNFSM4T77EORA>.
|
Also, just to be clear, the primary concern isn't the Imagine a scenario where someone followed one of the top Google search results for "nginx reverse proxy laravel" which, like most other tutorials that I've looked at today, suggest the following directive:
Next, imagine they followed the Laravel docs on TrustedProxies, adding their proxy server's IP address to the Given those two steps, they are now vulnerable to this exploit. There are 3 possible fixes. The first is to explicitly set all
The second fix is to set The third is to enable the default I agree with @DanielCoulbourne that enabling |
I think I will go ahead with this. "Multi-tenant" applications are not as common as traditional applications and if someone is building one they can just comment out the middleware. |
Just some additional context if anyone was curious. This vulnerability was first fixed in 5.4.22, with this commit: laravel/framework@cef1055. Here is a Laravel News article related to it: https://laravel-news.com/laravel-5-4-22-is-now-released-and-includes-a-security-fix. This fix also broke domain-based multi-tenant applications, but it seems the security aspect won out. It looks like the vulnerability was reintroduced in 6.18.7, with this commit: laravel/framework@1eaaf6c (PR32345) This seems like this is a nicer fix than the original one, though. Of course, this middleware didn't exist back then. |
Just a note for Forge users deploying their applications to the
|
This also broke Vapor. Vanity domains stop working once you add a custom domain, and if you have multiple custom domains only one will work and the rest will not work. If we're keeping this middleware uncommented we should make a major announcement about it so people on Forge & Vapor make sure they comment it. Or add a build step in vapor to comment that middleware before deploying. |
I do think that setting a new default for |
Probably we have to revert this and let people opt-in to it like Symfony does. |
@DanielCoulbourne Just for clarification, normally a Man in the middle attack should be adverted by using a secure connection aka "https". Isn't a Site protected from this vulnerability or more perhaps the user if the site is fully secured with https? |
It's fairly common, I think, for load balancers to handle TLS offloading and communicate with application servers behind them over HTTP. |
I think @inxilpro's suggestion on the TrustProxies header might be the best way to go without breaking Forge. @Thiritin check out Daniel's demo video. |
It's not an HTTPS issue. The issue is that |
@themsaid and @jbrooksuk — Are you able to check what happens when you:
Do those two changes address the issues with Vapor and Forge? |
We recently learned of a vulnerability in our app through our Bug Bounty program which allowed an attacker to change the host of a signed URL using the
X-Forwarded-Host
header. This allowed an attacker to generate a malicious password-reset email which, if the link was clicked, would send the user's password reset token to a website controlled by the hacker.Enabling this middleware by default could close this vulnerability for many websites who may currently be exposed to this same vulnerability.