Inheritance | yii\filters\HostControl » yii\base\ActionFilter » yii\base\Behavior » yii\base\Object |
---|---|
Implements | yii\base\Configurable |
Available since version | 2.0.11 |
Source Code | https://github.com/yiisoft/yii2/blob/master/framework/filters/HostControl.php |
HostControl provides simple control over requested host name.
This filter provides protection against 'host header' attacks, allowing action execution only for specified host names.
Application configuration example:
return [ 'as hostControl' => [ 'class' => 'yii\filters\HostControl', 'allowedHosts' => [ 'example.com', '*.example.com', ], ], // ... ];
Controller configuration example:
use yii\web\Controller; use yii\filters\HostControl; class SiteController extends Controller { public function behaviors() { return [ 'hostControl' => [ 'class' => HostControl::className(), 'allowedHosts' => [ 'example.com', '*.example.com', ], ], ]; } // ... }
Note: the best way to restrict allowed host names is usage of the web server 'virtual hosts' configuration. This filter should be used only if this configuration is not available or compromised.
Property | Type | Description | Defined By |
---|---|---|---|
$allowedHosts | array|Closure|null | List of host names, which are allowed. | yii\filters\HostControl |
$denyCallback | callable | A callback that will be called if the current host does not match $allowedHosts. | yii\filters\HostControl |
$except | array | List of action IDs that this filter should not apply to. | yii\base\ActionFilter |
$fallbackHostInfo | string|null | Fallback host info (e.g. `http://www. | yii\filters\HostControl |
$only | array | List of action IDs that this filter should apply to. | yii\base\ActionFilter |
$owner | yii\base\Component|null | The owner of this behavior | yii\base\Behavior |
Method | Description | Defined By |
---|---|---|
__call() | Calls the named method which is not a class method. | yii\base\Object |
__construct() | Constructor. | yii\base\Object |
__get() | Returns the value of an object property. | yii\base\Object |
__isset() | Checks if a property is set, i.e. defined and not null. | yii\base\Object |
__set() | Sets value of an object property. | yii\base\Object |
__unset() | Sets an object property to null. | yii\base\Object |
afterAction() | This method is invoked right after an action is executed. | yii\base\ActionFilter |
afterFilter() | yii\base\ActionFilter | |
attach() | Attaches the behavior object to the component. | yii\base\Behavior |
beforeAction() | This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action. | yii\filters\HostControl |
beforeFilter() | yii\base\ActionFilter | |
canGetProperty() | Returns a value indicating whether a property can be read. | yii\base\Object |
canSetProperty() | Returns a value indicating whether a property can be set. | yii\base\Object |
className() | Returns the fully qualified name of this class. | yii\base\Object |
detach() | Detaches the behavior object from the component. | yii\base\Behavior |
events() | Declares event handlers for the $owner's events. | yii\base\Behavior |
hasMethod() | Returns a value indicating whether a method is defined. | yii\base\Object |
hasProperty() | Returns a value indicating whether a property is defined. | yii\base\Object |
init() | Initializes the object. | yii\base\Object |
Method | Description | Defined By |
---|---|---|
denyAccess() | Denies the access. | yii\filters\HostControl |
getActionId() | Returns an action ID by converting yii\base\Action::$uniqueId into an ID relative to the module | yii\base\ActionFilter |
isActive() | Returns a value indicating whether the filter is active for the given action. | yii\base\ActionFilter |
List of host names, which are allowed. Each host can be specified as a wildcard pattern. For example:
[ 'example.com', '*.example.com', ]
This field can be specified as a PHP callback of following signature:
function (\yii\base\Action $action) { //return array of strings }
where $action
is the current action object.
If this field is not set - no host name check will be performed.
public array|Closure|null $allowedHosts = null
A callback that will be called if the current host does not match $allowedHosts. If not set, denyAccess() will be called.
The signature of the callback should be as follows:
function (\yii\base\Action $action)
where $action
is the current action object.
Note: while implementing your own host deny processing, make sure you avoid usage of the current requested host name, creation of absolute URL links, caching page parts and so on.
public callable $denyCallback = null
Fallback host info (e.g. http://www.yiiframework.com
) used when Request::$hostInfo is invalid. This value will replace Request::$hostInfo before $denyCallback is called to make sure that an invalid host will not be used for further processing. You can set it to null
to leave Request::$hostInfo untouched. Default value is empty string (this will result creating relative URLs instead of absolute).
See also yii\web\Request::getHostInfo().
public string|null $fallbackHostInfo = ''
This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action.
public boolean beforeAction ( $action ) | ||
---|---|---|
$action | yii\base\Action |
The action to be executed. |
return | boolean |
Whether the action should continue to be executed. |
Denies the access.
The default implementation will display 404 page right away, terminating the program execution. You may override this method, creating your own deny access handler. While doing so, make sure you avoid usage of the current requested host name, creation of absolute URL links, caching page parts and so on.
protected void denyAccess ( $action ) | ||
---|---|---|
$action | yii\base\Action |
The action to be executed. |
throws | yii\web\NotFoundHttpException |
© 2008–2017 by Yii Software LLC
Licensed under the three clause BSD license.
http://www.yiiframework.com/doc-2.0/yii-filters-hostcontrol.html