Since v4.3.0, Config\App::$allowedHostnames has permitted one to add multiple host URLs to be returned as though they were the base_url(), which is great!
However, having had a look at SiteURIFactory.php, I see the checking against this array of $allowedHostnames (in getValidHost()) is done using a simple text in_array() comparison... so it cannot digest wildcards.
Given that having Filters.php enabled strips out any questionable (or accidental) content in $_REQUEST and replaces the request with base_url(), or the $_REQUEST URL (if the host is in $allowedHostnames), this results in every possible subdomain host needing to be listed in $allowedHostnames.
There appears to be no other easy way to prevent Filters.php from doing this, without making the filtering conditions so wide-open that it renders Filters.php ineffective. Under certain circumstances (like the ones I currently have), this causes $allowedHostnames to become really, really long... and, without a doubt, a nightmare to manage going forward.
So, my question is whether there is a way around this as the CI code currently stands?
And, if not, suggest that it would be great - and make this headache a complete non-issue - if $allowedHostnames permitted wildcards!
Would there be any sense to explicitly call these subdomain hosts... and if so, then have them identified only by their (subdomain) hostname, without the base_url() domain name portion? In other words (in App.php):
Code:
['media.example.com', 'accounts.example.com']
would become:
Code:
['media', 'accounts']
... and this would make it reasonably simple to have getValidHost() upgraded to accept wildcards in the $allowedHostnames.
Edit:
In the interim, I've used a bit of duct-tape to patch it:
In App.php:
Code:
public array $allowedHostnames = ['.domain.com']; // first hostname set to '.' + root domain (adding the '.' could also be done in SiteURIFactory.php)
and an (unfortunate) edit to the CI system code, in SiteURIFactory.php:
Code:
private function getValidHost(string $host): ?string
{
if (str_ends_with($host, $this->appConfig->allowedHostnames[0])) return $host;
...
There are other ways to do it too... perhaps an "$allowSubdomains" flag in App.php could also do the job (?), which may be better in terms of adding less processing overheads... or not.
