Password reset - fix for possible host header injection (#362)

* Password reset - fix for possible host header injection * Update src/Controller/Admin/LoginController.php Co-authored-by: Sebastian Blank <[email protected]> --------- Co-authored-by: Sebastian Blank <[email protected]>
pimcore · Dec 6, 2023 · 70f2205 · 70f2205
1 parent 9cae27b
commit 70f2205
Showing 1 changed file with 22 additions and 6 deletions.
diff --git a/src/Controller/Admin/LoginController.php b/src/Controller/Admin/LoginController.php
@@ -32,6 +32,7 @@
 use Pimcore\Logger;
 use Pimcore\Model\User;
 use Pimcore\Security\SecurityHelper;
+use Pimcore\SystemSettingsConfig;
 use Pimcore\Tool;
 use Pimcore\Tool\Authentication;
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Google\GoogleAuthenticatorInterface;
@@ -44,6 +45,7 @@
 use Symfony\Component\RateLimiter\RateLimiterFactory;
 use Symfony\Component\Routing\Annotation\Route;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+use Symfony\Component\Routing\RouterInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Core\User\UserInterface;
@@ -194,7 +196,13 @@ public function loginCheckAction(Request $request): RedirectResponse
     /**
      * @Route("/login/lostpassword", name="pimcore_admin_login_lostpassword")
      */
-    public function lostpasswordAction(Request $request, CsrfProtectionHandler $csrfProtection, Config $config, RateLimiterFactory $resetPasswordLimiter): Response
+    public function lostpasswordAction(
+        Request $request,
+        CsrfProtectionHandler $csrfProtection,
+        Config $config,
+        RateLimiterFactory $resetPasswordLimiter,
+        RouterInterface $router
+    ): Response
     {
         $params = $this->buildLoginPageViewParams($config);
         $error = null;
@@ -226,12 +234,20 @@ public function lostpasswordAction(Request $request, CsrfProtectionHandler $csrf
             if (!$error) {
                 $token = Authentication::generateTokenByUser($user);
 
-                $loginUrl = $this->generateUrl('pimcore_admin_login_check', [
-                    'token' => $token,
-                    'reset' => 'true',
-                ], UrlGeneratorInterface::ABSOLUTE_URL);
-
                 try {
+                    $domain = SystemSettingsConfig::get()['general']['domain'];
+                    if (!$domain) {
+                        throw new \Exception('No main domain set in system settings, unable to generate reset password link');
+                    }
+
+                    $context = $router->getContext();
+                    $context->setHost($domain);
+
+                    $loginUrl = $this->generateUrl('pimcore_admin_login_check', [
+                        'token' => $token,
+                        'reset' => 'true',
+                    ], UrlGeneratorInterface::ABSOLUTE_URL);
+
                     $event = new LostPasswordEvent($user, $loginUrl);
                     $this->eventDispatcher->dispatch($event, AdminEvents::LOGIN_LOSTPASSWORD);