settings.local.php trusted_host_patterns are ignored [#2419225]

Problem/Motivation

Follow up from #2221699: HTTP_HOST header cannot be trusted.

If a developer uncomments the trusted_host_patterns sections in default.settings.php and uses a different set in settings.local.php, the ones in settings.local.php will be ignored.

This is because the local include should be last in the file:

Keep this code block at the end of this file to take full effect.

Proposed resolution

Move the local settings include to the bottom of default.settings.php

Remaining tasks

None.

User interface changes

None.

API changes

None.

Beta phase evaluation

Reference: https://www.drupal.org/core/beta-changes
Issue category	Bug
Issue priority	Normal
Unfrozen changes	No
Prioritized changes	Yes. This improves security.
Disruption	None.

Comment	File	Size	Author
#1	trusted-host-2419225-1.patch	1.62 KB	mikeker
#1

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

mikeker CreditAttribution: mikeker commented 3 February 2015 at 13:28

File	Size
trusted-host-2419225-1.patch	1.62 KB

Attached patch pushes the settings.local.php processing to the bottom of default.settings.php.

Comment #2

mikeker CreditAttribution: mikeker commented 3 February 2015 at 13:29

Status:

Active

» Needs review

Duh...

Comment #3

mikeker CreditAttribution: mikeker commented 10 February 2015 at 11:31

Comment #4

dawehner

German

CreditAttribution: dawehner commented 12 February 2015 at 00:46

Urgs ... I wonder whether we can test this to ensure it doesn't happen again?

Comment #5

mpdonadio

he/him

English

Philadelphia/PA/USA (UTC-5)

CreditAttribution: mpdonadio commented 12 February 2015 at 01:14

Issue summary:	View changes
Status:	Needs review	» Reviewed & tested by the community
Issue tags:		+Quick fix

#2416563: Follow-up to "HTTP_HOST header cannot be trusted" removed trusted_host_patterns from sites/example.settings.local.php.

Updated IS to reflect true bug...

Comment #6

mikeker CreditAttribution: mikeker commented 12 February 2015 at 11:36

@dawehner: I suppose we could use a regex to test that the local settings file directive is at the end of default.settings.php. I'm concerned that would be a pretty brittle test, though it is for rarely changed code...

Thoughts?

Comment #7

15 February 2015 at 20:17

webchick committed 5f5fa3b on 8.0.x

Issue #2419225 by mikeker: settings.local.php trusted_host_patterns are...

Comment #8

webchick

she/they

English

Vancouver 🇨🇦

CreditAttribution: webchick commented 15 February 2015 at 20:17

Status:

Reviewed & tested by the community

» Fixed

Hm. Yeah, I can't really think of a useful test that would work even if something else completely different was appended to the bottom next time. And we might do just as well with making the last line of the file "# No, seriously, don't ever put anything else at the bottom of this file." ;)

For now, I'm comfortable considering this a one-off since the documentation does say that, and just wasn't followed in that issue. If it happens again, maybe we can add some capital letters and ASCII snowmen or whatever to the docs, too. ;)

Committed and pushed to 8.0.x. Thanks!

Comment #9

mikeker CreditAttribution: mikeker commented 18 February 2015 at 11:30

Something like this? :)

            uuuuuuuuuuuuuuuuuuuu
          u" uuuuuuuuuuuuuuuuuu "u
        u" u$$$$$$$$$$$$$$$$$$$$u "u
      u" u$$$$$$$$$$$$$$$$$$$$$$$$u "u
    u" u$$$$$$$$$$$$$$$$$$$$$$$$$$$$u "u
  u" u$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$u "u
u" u$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$u "u
$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $
$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $
$ $$$" ... "$...  ...$" ... "$$$  ... "$$$ $
$ $$$u `"$$$$$$$  $$$  $$$$$  $$  $$$  $$$ $
$ $$$$$$uu "$$$$  $$$  $$$$$  $$  """ u$$$ $
$ $$$""$$$  $$$$  $$$u "$$$" u$$  $$$$$$$$ $
$ $$$$....,$$$$$..$$$$$....,$$$$..$$$$$$$$ $
$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $
"u "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$" u"
  "u "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$" u"
    "u "$$$$$$$$$$$$$$$$$$$$$$$$$$$$" u"
      "u "$$$$$$$$$$$$$$$$$$$$$$$$" u"
        "u "$$$$$$$$$$$$$$$$$$$$" u"
          "u """""""""""""""""" u"
            """"""""""""""""""""