From e3f038b7de5599b12f725630dc66f569440970f2 Mon Sep 17 00:00:00 2001 From: Chris Wilkinson Date: Thu, 6 Apr 2017 11:21:03 +0100 Subject: [PATCH] Fix trusted hosts example regular expressions Allow subdomains but not prefixed domains (eg evilexample.com) --- reference/configuration/framework.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst index bbdb77365f9..e706b7ef00e 100644 --- a/reference/configuration/framework.rst +++ b/reference/configuration/framework.rst @@ -362,14 +362,14 @@ respond and the user will receive a 500 response. 'trusted_hosts' => array('example.com', 'example.org'), )); -Hosts can also be configured using regular expressions (e.g. ``.*\.?example.com$``), +Hosts can also be configured using regular expressions (e.g. ``^(.+\.)?example.com$``), which make it easier to respond to any subdomain. In addition, you can also set the trusted hosts in the front controller using the ``Request::setTrustedHosts()`` method:: // web/app.php - Request::setTrustedHosts(array('.*\.?example.com$', '.*\.?example.org$')); + Request::setTrustedHosts(array('^(.+\.)?example.com$', '^(.+\.)?example.org$')); The default value for this option is an empty array, meaning that the application can respond to any given host.