From 997dc3814bac5dd3e791767a5a452397fb62f7ad Mon Sep 17 00:00:00 2001
From: James Cole <james@firefly-iii.org>
Date: Sat, 17 Feb 2024 08:18:49 +0100
Subject: [PATCH] Add host header validation

---
 .env.example                                   | 12 ++----------
 .../Auth/ForgotPasswordController.php          | 18 ++++++++++++++++++
 .../Auth/ResetPasswordController.php           |  4 +++-
 3 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/.env.example b/.env.example
index a87b2f353b..f63a3e2ac5 100644
--- a/.env.example
+++ b/.env.example
@@ -332,15 +332,7 @@ DEMO_PASSWORD=
 FIREFLY_III_LAYOUT=v1
 
 #
-# If you have trouble configuring your Firefly III installation, DON'T BOTHER setting this variable.
-# It won't work. It doesn't do ANYTHING. Don't believe the lies you read online. I'm not joking.
-# This configuration value WILL NOT HELP.
-#
-# Notable exception to this rule is Synology, which, according to some users, will use APP_URL to rewrite stuff.
-#
-# This variable is ONLY used in some of the emails Firefly III sends around. Nowhere else.
-# So when configuring anything WEB related this variable doesn't do anything. Nothing
-#
-# If you're stuck I understand you get desperate but look SOMEWHERE ELSE.
+# Please make sure this URL matches the external URL of your Firefly III installation.
+# It is used to validate specific requests and to generate URLs in emails.
 #
 APP_URL=http://localhost
diff --git a/app/Http/Controllers/Auth/ForgotPasswordController.php b/app/Http/Controllers/Auth/ForgotPasswordController.php
index c026d12ad5..2bec5fe695 100644
--- a/app/Http/Controllers/Auth/ForgotPasswordController.php
+++ b/app/Http/Controllers/Auth/ForgotPasswordController.php
@@ -68,6 +68,9 @@ class ForgotPasswordController extends Controller
             return view('error', compact('message'));
         }
 
+        // validate host header.
+        $this->validateHost();
+
         $this->validateEmail($request);
 
         // verify if the user is not a demo user. If so, we give him back an error.
@@ -118,4 +121,19 @@ class ForgotPasswordController extends Controller
 
         return view('auth.passwords.email')->with(compact('allowRegistration', 'pageTitle'));
     }
+
+    /**
+     * @return void
+     * @throws FireflyException
+     */
+    private function validateHost(): void {
+        $configuredHost = parse_url((string)config('app.url'),  PHP_URL_HOST);
+        if(false === $configuredHost || null === $configuredHost) {
+            throw new FireflyException('Please set a valid and correct Firefly III URL in the APP_URL environment variable.');
+        }
+        $host = request()->host();
+        if($configuredHost !== $host) {
+            throw new FireflyException('The Host-header does not match the host in the APP_URL environment variable. Please make sure these match. See also: https://bit.ly/FF3-host-header');
+        }
+    }
 }
diff --git a/app/Http/Controllers/Auth/ResetPasswordController.php b/app/Http/Controllers/Auth/ResetPasswordController.php
index 0a0ff45a0e..6f2cc2b045 100644
--- a/app/Http/Controllers/Auth/ResetPasswordController.php
+++ b/app/Http/Controllers/Auth/ResetPasswordController.php
@@ -80,6 +80,8 @@ class ResetPasswordController extends Controller
 
             return view('error', compact('message'));
         }
+
+
         $rules    = [
             'token'    => 'required',
             'email'    => 'required|email',
@@ -90,7 +92,7 @@ class ResetPasswordController extends Controller
 
         // Here we will attempt to reset the user's password. If it is successful we
         // will update the password on an actual user model and persist it to the
-        // database. Otherwise we will parse the error and return the response.
+        // database. Otherwise, we will parse the error and return the response.
         $response = $this->broker()->reset(
             $this->credentials($request),
             function ($user, $password): void {