[
https://issues.apache.org/jira/browse/OFBIZ-11588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17236290#comment-17236290
]
Daniel Watford commented on OFBIZ-11588:
----------------------------------------
Hi [~jleroux].
If we merge the PR as currently written, the host-headers-allowed property in
security.properties will no longer contain the names of the demo environment
hosts. If names of the hosts are not included in the security.properties file
in the demo environments then users accessing these environments will receive
the error:
{quote}org.apache.ofbiz.webapp.control.RequestHandlerException: Domain
ofbiz.example.com not accepted to prevent host header injection. You need to
set host-headers-allowed property in security.properties file.
{quote}
Hence my question about the location of the deployment scripts for the demo
environments so that they can be updated to ensure the host-headers-allowed
property is set appropriately. It may be the case that this is already taken
care of, I just don't know where to look to check.
> Have 'host-headers-allowed' validation for all local headers
> ------------------------------------------------------------
>
> Key: OFBIZ-11588
> URL: https://issues.apache.org/jira/browse/OFBIZ-11588
> Project: OFBiz
> Issue Type: Improvement
> Components: framework/security
> Affects Versions: Trunk
> Reporter: Pierre Smits
> Assignee: Pierre Smits
> Priority: Major
> Labels: CSRF, security
>
> The ip address 0.0.0.0 is missing from the list.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
