[Question] How would I include the "Host:" header in the content path?

picocms / Pico

Pico is a stupidly simple, blazing fast, flat file CMS.

http://picocms.org/

MIT License

3.82k stars 616 forks source link

[Question] How would I include the "Host:" header in the content path? #311

Closed oschettler closed 8 years ago

oschettler commented 8 years ago

I would like to use PicoCMS to answer on multiple domains and yield separate content, depending on the domain.

For example,

http://example1.com/aa/bb should yield the file content/example1.com/aa/bb.md
http://example2.com/aa/bb should yield the file content/example2.com/aa/bb.md

Is there a way to implement this in a plugin? My approach currently is to prefix QUERY_STRING with the value of HTTP_HOST in index.php.

PhrozenByte commented 8 years ago

Picos's plugin system is very powerful and allows various solutions for this problem. I think the one you have chosen (prefixing the request URL with HTTP_HOST) already is one of the best possible solutions, because it changes the way Pico handles requests least. Actually you just have to move your code from index.php to the onRequestUrl event:

class HostBasedContentsPlugin extends AbstractPicoPlugin
{
    public function onRequestUrl(&$url)
    {
        // we don't have to validate this user input here,
        // Pico already assumes $url to be possibly poisonous
        $url = $_SERVER['HTTP_HOST'] . '/' . $url;
    }
}

This allows you to use domain-based contents, if you rather want to use Pico as a "full" multi-domain installation with even different configs, plugins and themes, please refer to #254 and #301.

oschettler commented 8 years ago

Cool trick, thank you. I will check out the plugin API more thoroughly.

Meanwhile, I have found another solution: I have prefixed the content_dir with HTTP_HOST in config/config.php like so:

$config['content_dir'] = 'content/' . $_SERVER['HTTP_HOST'] . '/';

PhrozenByte commented 8 years ago

Please don't forget that $_SERVER['HTTP_HOST'] is user input and needs validation! As long as your webserver configuration doesn't prevent this as a side-effect, users can exploit this by sending malicious contents (like ../../../../some/folder/you/dont/want/to/be/readable) as Host header.

My example avoids this by just modifying the request URL, what is user input as well and therefore gets validated by Pico.

oschettler commented 8 years ago

Oha, thank you for pointing this out.