W3cubDocs

/Yii 2.0

Class yii\filters\HostControl

Inheritance yii\filters\HostControl » yii\base\ActionFilter » yii\base\Behavior » yii\base\Object
Implements yii\base\Configurable
Available since version 2.0.11
Source Code https://github.com/yiisoft/yii2/blob/master/framework/filters/HostControl.php

HostControl provides simple control over requested host name.

This filter provides protection against 'host header' attacks, allowing action execution only for specified host names.

Application configuration example:

return [
    'as hostControl' => [
        'class' => 'yii\filters\HostControl',
        'allowedHosts' => [
            'example.com',
            '*.example.com',
        ],
    ],
    // ...
];

Controller configuration example:

use yii\web\Controller;
use yii\filters\HostControl;

class SiteController extends Controller
{
    public function behaviors()
    {
        return [
            'hostControl' => [
                'class' => HostControl::className(),
                'allowedHosts' => [
                    'example.com',
                    '*.example.com',
                ],
            ],
        ];
    }

    // ...
}

Note: the best way to restrict allowed host names is usage of the web server 'virtual hosts' configuration. This filter should be used only if this configuration is not available or compromised.

Public Properties

Property Type Description Defined By
$allowedHosts array|Closure|null List of host names, which are allowed. yii\filters\HostControl
$denyCallback callable A callback that will be called if the current host does not match $allowedHosts. yii\filters\HostControl
$except array List of action IDs that this filter should not apply to. yii\base\ActionFilter
$fallbackHostInfo string|null Fallback host info (e.g. `http://www. yii\filters\HostControl
$only array List of action IDs that this filter should apply to. yii\base\ActionFilter
$owner yii\base\Component|null The owner of this behavior yii\base\Behavior

Public Methods

Method Description Defined By
__call() Calls the named method which is not a class method. yii\base\Object
__construct() Constructor. yii\base\Object
__get() Returns the value of an object property. yii\base\Object
__isset() Checks if a property is set, i.e. defined and not null. yii\base\Object
__set() Sets value of an object property. yii\base\Object
__unset() Sets an object property to null. yii\base\Object
afterAction() This method is invoked right after an action is executed. yii\base\ActionFilter
afterFilter() yii\base\ActionFilter
attach() Attaches the behavior object to the component. yii\base\Behavior
beforeAction() This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action. yii\filters\HostControl
beforeFilter() yii\base\ActionFilter
canGetProperty() Returns a value indicating whether a property can be read. yii\base\Object
canSetProperty() Returns a value indicating whether a property can be set. yii\base\Object
className() Returns the fully qualified name of this class. yii\base\Object
detach() Detaches the behavior object from the component. yii\base\Behavior
events() Declares event handlers for the $owner's events. yii\base\Behavior
hasMethod() Returns a value indicating whether a method is defined. yii\base\Object
hasProperty() Returns a value indicating whether a property is defined. yii\base\Object
init() Initializes the object. yii\base\Object

Protected Methods

Method Description Defined By
denyAccess() Denies the access. yii\filters\HostControl
getActionId() Returns an action ID by converting yii\base\Action::$uniqueId into an ID relative to the module yii\base\ActionFilter
isActive() Returns a value indicating whether the filter is active for the given action. yii\base\ActionFilter

Property Details

$allowedHosts public property

List of host names, which are allowed. Each host can be specified as a wildcard pattern. For example:

[
    'example.com',
    '*.example.com',
]

This field can be specified as a PHP callback of following signature:

function (\yii\base\Action $action) {
    //return array of strings
}

where $action is the current action object.

If this field is not set - no host name check will be performed.

public array|Closure|null $allowedHosts = null

$denyCallback public property

A callback that will be called if the current host does not match $allowedHosts. If not set, denyAccess() will be called.

The signature of the callback should be as follows:

function (\yii\base\Action $action)

where $action is the current action object.

Note: while implementing your own host deny processing, make sure you avoid usage of the current requested host name, creation of absolute URL links, caching page parts and so on.

public callable $denyCallback = null

$fallbackHostInfo public property

Fallback host info (e.g. http://www.yiiframework.com) used when Request::$hostInfo is invalid. This value will replace Request::$hostInfo before $denyCallback is called to make sure that an invalid host will not be used for further processing. You can set it to null to leave Request::$hostInfo untouched. Default value is empty string (this will result creating relative URLs instead of absolute).

See also yii\web\Request::getHostInfo().

public string|null $fallbackHostInfo = ''

Method Details

beforeAction() public method

This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action.

public boolean beforeAction ( $action )
$action yii\base\Action

The action to be executed.

return boolean

Whether the action should continue to be executed.

denyAccess() protected method

Denies the access.

The default implementation will display 404 page right away, terminating the program execution. You may override this method, creating your own deny access handler. While doing so, make sure you avoid usage of the current requested host name, creation of absolute URL links, caching page parts and so on.

protected void denyAccess ( $action )
$action yii\base\Action

The action to be executed.

throws yii\web\NotFoundHttpException

© 2008–2017 by Yii Software LLC
Licensed under the three clause BSD license.
http://www.yiiframework.com/doc-2.0/yii-filters-hostcontrol.html