diff --git a/core/lib/Drupal/Core/DrupalKernel.php b/core/lib/Drupal/Core/DrupalKernel.php
index 19e9817..fd591d6 100644
--- a/core/lib/Drupal/Core/DrupalKernel.php
+++ b/core/lib/Drupal/Core/DrupalKernel.php
@@ -225,7 +225,7 @@ public static function createFromRequest(Request $request, $class_loader, $envir
$hostPatterns = Settings::get('trusted_host_patterns', array());
if (PHP_SAPI !== 'cli' && !empty($hostPatterns)) {
if (static::setupTrustedHosts($request, $hostPatterns) === FALSE) {
- throw new BadRequestHttpException();
+ throw new BadRequestHttpException('Invalid HOST header detected.');
}
}
@@ -313,7 +313,7 @@ public function __construct($environment, $class_loader, $allow_dumping = TRUE)
*/
public static function findSitePath(Request $request, $require_settings = TRUE) {
if (static::validateHostname($request) === FALSE) {
- throw new BadRequestHttpException();
+ throw new BadRequestHttpException('');
}
// Check for a simpletest override.
diff --git a/core/lib/Drupal/Core/Installer/Form/SiteSettingsForm.php b/core/lib/Drupal/Core/Installer/Form/SiteSettingsForm.php
index 8cf65c9..6feaa45 100644
--- a/core/lib/Drupal/Core/Installer/Form/SiteSettingsForm.php
+++ b/core/lib/Drupal/Core/Installer/Form/SiteSettingsForm.php
@@ -155,6 +155,13 @@ public function submitForm(array &$form, FormStateInterface $form_state) {
'value' => $install_state['parameters']['profile'],
'required' => TRUE,
);
+ // Set the initial trusted host value if this isn't a command line install.
+ if (PHP_SAPI !== 'cli') {
+ $settings['settings']['trusted_host_patterns'] = (object) array(
+ 'value' => array('^' . preg_quote(\Drupal::request()->getHost()) . '$'),
+ 'required' => TRUE,
+ );
+ }
drupal_rewrite_settings($settings);
diff --git a/core/modules/system/src/Tests/System/TrustedHostsTest.php b/core/modules/system/src/Tests/System/TrustedHostsTest.php
index aac720f..02764ce 100644
--- a/core/modules/system/src/Tests/System/TrustedHostsTest.php
+++ b/core/modules/system/src/Tests/System/TrustedHostsTest.php
@@ -30,19 +30,19 @@ protected function setUp() {
}
/**
- * Tests that the status page shows a warning when the trusted host setting
+ * Tests that the status page shows an error when the trusted host setting
* is missing from settings.php
*/
public function testStatusPageWithoutConfiguration() {
$this->drupalGet('admin/reports/status');
+ $this->assertResponse(200, 'The status page is reachable.');
$this->assertRaw(t('Trusted Host Settings'));
$this->assertRaw(t('The trusted_host_patterns setting is not configured in settings.php.'));
}
/**
- * Tests that the status page shows a warning when the trusted host setting
- * is missing from settings.php
+ * Tests that the status page shows the trusted patterns from settings.php
*/
public function testStatusPageWithConfiguration() {
$settings['settings']['trusted_host_patterns'] = (object) array(
@@ -56,7 +56,7 @@ public function testStatusPageWithConfiguration() {
$this->assertResponse(200, 'The status page is reachable.');
$this->assertRaw(t('Trusted Host Settings'));
- $this->assertNoRaw(t('The trusted_host_patterns setting is not configured in settings.php.'));
+ $this->assertRaw(t('The trusted_host_patterns setting is set to allow'));
}
}
diff --git a/core/modules/system/system.install b/core/modules/system/system.install
index 98f5dc0..dced956 100644
--- a/core/modules/system/system.install
+++ b/core/modules/system/system.install
@@ -621,13 +621,14 @@ function system_requirements($phase) {
'title' => t('Trusted Host Settings'),
'value' => t('Not enabled'),
'description' => t('The trusted_host_patterns setting is not configured in settings.php. This can lead to security vulnerabilities. It is highly recommended that you configure this. See Protecting against HTTP HOST Header attacks for more information.', array('@url' => 'https://www.drupal.org/node/1992030')),
- 'severity' => REQUIREMENT_WARNING,
+ 'severity' => REQUIREMENT_ERROR,
);
}
else {
$requirements['trusted_host_patterns'] = array(
'title' => t('Trusted Host Settings'),
'value' => t('Enabled'),
+ 'description' => t('The trusted_host_patterns setting is set to allow %trusted_host_patterns', array('%trusted_host_patterns' => join(', ', $trusted_host_patterns))),
);
}
}
diff --git a/index.php b/index.php
index 55fc947..867f0e0 100644
--- a/index.php
+++ b/index.php
@@ -27,7 +27,7 @@
$kernel->terminate($request, $response);
}
catch (HttpExceptionInterface $e) {
- $response = new Response('', $e->getStatusCode());
+ $response = new Response($e->getMessage(), $e->getStatusCode());
$response->prepare($request)->send();
}
catch (Exception $e) {
diff --git a/sites/example.settings.local.php b/sites/example.settings.local.php
index 7859fe5..0a517aa 100644
--- a/sites/example.settings.local.php
+++ b/sites/example.settings.local.php
@@ -55,3 +55,15 @@
* using these parameters in a request to rebuild.php.
*/
$settings['rebuild_access'] = TRUE;
+
+/**
+ * Trust localhost
+ *
+ * This will configure several common hostnames used for local development to
+ * be trusted hosts.
+ */
+$settings['trusted_host_patterns'] = array(
+ '^localhost$',
+ '^localhost\.*',
+ '\.local$',
+);