"400 Bad request" error when I call OJS from a different IP or domain

rodrigocamargos · May 13, 2022, 12:23pm

I just installed OJS3 on Apache2 and tested on ‘localhost’ which worked. Now, when I input 127.0.0.1 any internal valid IP I got 400 Bad request.
From what I read, its seems that OJS _(underscore) files/directories could be the root of this problem.

I created another website on Apache2 with just a html file and a directory named _file and it worked. So I’m confused and looking for help.

ojs-3.3.0-10

rodrigocamargos · May 13, 2022, 1:56pm

I forgot to configure config.inc.php to allow other hosts. Problem solved!

rcgillis · May 16, 2022, 11:00am

This topic was automatically closed after 2 days. New replies are no longer allowed.

marc · May 16, 2022, 4:21pm

Hi Rodrigo, welcome to PKP community.

I’m happy you found the solution so fast, but for others arriving to this post with similar error, let me explain it a little more:

In OJS 3.3.0-9 a new variable called allowed_hosts was introduced in config.inc.php.

This is a general problem with webservers so PKP applied the same solution you can see in drupal, wordpress and other CMSs.

If your server answer to multiple domains, or your reverse proxy change your domain name… you will get a “400 Bad request” error, but as it’s said, this is not a bug, it’s a feature.

If you like to answer petitions under different names, you need to add all your domains to the allowed_hosts array in your config.inc.php as follows:

allowed_hosts = '["localhost", "127.0.0.1", "myjournal.tld", "anotherjournal.tld", "mylibrary.tld"]'

As is a security concern, the change was applied to older versions with active support like stable-3.2.x, stable-3.3.x.

If you like to know more about this, you would like to read:

github.com/pkp/pkp-lib

Add support for limiting allowed hosts

opened 09:29PM - 25 Jan 22 UTC

closed 03:47AM - 01 Mar 22 UTC

asmecher

Bug:3:Critical

**Description of problem** OJS/OMP/OPS currently uses the `HTTP_HOST`, `SERVE…R_NAME`, and `HTTP_X_FORWARDED_HOST` headers to detect the current hostname for formulating absolute URLs. Per https://portswigger.net/web-security/host-header, these headers may be user-controlled and thus not trustworthy. This could be used to e.g. send password reset emails with poisoned links that direct the user to a 3rd-party site, where the reset hash can be captured. (We are not currently aware of another possible abuse via this mechanism.) Thanks to Hemant Kashyap for reporting the issue. **Solution** The changes described here add support for a list of allowed host names to be provided in the config.inc.php configuration file. User-supplied values are checked against this list and only one of the listed values will be allowed. **Affected versions** This issue affects *all releases* of OJS, OMP, and OPS versions 3.3.0-8 and older. **How to resolve the issue** 1. Update the code to support the new `allowed_hosts` setting. This can be done by any of the following... 1. Upgrade OJS, OMP, or OPS to version 3.3.0-9 or newer, *or* 2. If using git, update to the latest `stable-3_3_0` or `stable-3_2_1` branches, *or* 3. Apply the appropriate patch for your installation: - 3.3.0-9 and newer: Not affected. - 3.3.0-1 through 3.3.0-8: [OJS](https://github.com/pkp/pkp-lib/files/8157778/ojs-3.3.0-8.diff.txt) [OMP](https://github.com/pkp/pkp-lib/files/8157780/omp-3.3.0-8.diff.txt) [OPS](https://github.com/pkp/pkp-lib/files/8157781/ops-3.3.0-8.diff.txt) - 3.2.0 or 3.2.1: [OJS](https://github.com/pkp/pkp-lib/files/8157784/ojs-3.2.1-4.diff.txt) [OMP](https://github.com/pkp/pkp-lib/files/8157785/omp-3.2.1-4.diff.txt) [OPS](https://github.com/pkp/pkp-lib/files/8157786/ops-3.2.1-4.diff.txt) - 3.0 to 3.1.x: Upgrading is recommended, but you may apply [this untested patch (for OJS and OMP)](https://github.com/pkp/pkp-lib/files/8162808/older.diff.txt). - 2.x: No patch available; upgrading is recommended. 2. Add an `allowed_hosts` setting to the `general` section of your `config.inc.php` configuration file. Here is the description/example from `config.TEMPLATE.inc.php`: ``` ; Restrict the list of allowed hosts to prevent HOST header injection. ; See docs/README.md for more details. The list should be JSON-formatted. ; An empty string indicates that all hosts should be trusted (not recommended!) ; Example: ; allowed_hosts = '["myjournal.tld", "anotherjournal.tld", "mylibrary.tld"]' allowed_hosts = '' ``` 3. You can test whether or not the configuration is working by intentionally misconfiguring `allowed_hosts`. Attempting to load a page from the software should result in a `400 Bad Request` error page. **Commits/pull requests** (This is for tracking development work on the issue; you likely don't need to know this.) PRs/commits: - `main`: - https://github.com/pkp/pkp-lib/pull/7656 - https://github.com/pkp/ojs/pull/3291 - omp: https://github.com/pkp/omp/commit/570394176dd1d2b9dbdfcbd78d3a037d4bbdf14e - ops: https://github.com/pkp/ops/commit/586c281316db817f086ebc4f04d65b5491e3a7c5 - `stable-3_3_0`: - pkp-lib: https://github.com/pkp/pkp-lib/pull/7650 - ojs: https://github.com/pkp/ojs/pull/3289 - omp: https://github.com/pkp/omp/commit/006ebf92b1c23b983aed2fdd8d8151b050588690 - ops: https://github.com/pkp/ops/commit/f75f58a7b1324637a97feb85f613f7e2df806452 - `stable-3_2_1`: - pkp-lib: https://github.com/pkp/pkp-lib/commit/9abc0f70f8d151f153fe36270341938216f3e5c2 - ojs: https://github.com/pkp/ojs/commit/1dfad486bcd14e7338db497bbb8dd67b0fad1667 - omp: https://github.com/pkp/omp/commit/29c45954c385ee6ad8944edf187280ddbfeebcf5 - ops: https://github.com/pkp/ops/commit/a2e7bb8d345af595620ae1aa590267a4a048b351

Cheers,
m.