Merge branch 'security-issue-65207-host-header-injection' into '5.12.z'

Security issue 65207 Host Header Injection See merge request cloudforms/cfme-appliance!13 (cherry picked from commit 181f07b)
ManageIQ · Aug 7, 2020 · cf4f17c · cf4f17c
1 parent ce70659
commit cf4f17c
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/COPY/etc/httpd/conf.d/manageiq-host-config b/COPY/etc/httpd/conf.d/manageiq-host-config
@@ -0,0 +1,9 @@
+# Default config (insecure)
+ProxyPreserveHost on
+
+# To make the appliance more secure and prevent Host Header Injection attacks,
+# uncomment the following and change APPLIANCE_HOSTNAME to use the hostname
+# address that the appliance is running on.
+#
+# RequestHeader set Host APPLIANCE_HOSTNAME
+# RequestHeader set X-Forwarded-Host APPLIANCE_HOSTNAME
diff --git a/COPY/etc/httpd/conf.d/manageiq-http.conf b/COPY/etc/httpd/conf.d/manageiq-http.conf
@@ -19,7 +19,7 @@ RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
 #  Include conf.d/manageiq-redirects-api
 #  Include conf.d/manageiq-redirects-ui
 #  Include conf.d/manageiq-redirects-websocket
-#  ProxyPreserveHost on
+#  Include conf.d/manageiq-host-config
 #  <Location /assets/>
 #    Header unset ETag
 #    FileETag None

diff --git a/COPY/etc/httpd/conf.d/manageiq-https-application.conf b/COPY/etc/httpd/conf.d/manageiq-https-application.conf
@@ -11,7 +11,7 @@ Include conf.d/manageiq-redirects-cockpit
 Include conf.d/manageiq-redirects-api
 Include conf.d/manageiq-redirects-ui
 Include conf.d/manageiq-redirects-websocket
-ProxyPreserveHost on
+Include conf.d/manageiq-host-config
 RequestHeader set X_FORWARDED_PROTO 'https'
 
 ErrorLog /var/www/miq/vmdb/log/apache/ssl_error.log