From b402e2e1176e7007ddc33fe047c0126997d807c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adolfo=20G=C3=B3mez=20Garc=C3=ADa?= <dkmaster@dkmon.com>
Date: Fri, 16 Aug 2024 16:07:41 +0200
Subject: [PATCH] Using first the SERVER_NAME instead of HTTP_HOST for inproved
 security as suggested by @meetinthemiddle-be. Thanks! ;-)

---
 server/src/uds/web/util/authentication.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/server/src/uds/web/util/authentication.py b/server/src/uds/web/util/authentication.py
index 71d20cf1d..aef7e11a3 100644
--- a/server/src/uds/web/util/authentication.py
+++ b/server/src/uds/web/util/authentication.py
@@ -55,16 +55,17 @@ logger = logging.getLogger(__name__)
 def check_login(  # pylint: disable=too-many-branches, too-many-statements
     request: 'ExtendedHttpRequest', form: 'LoginForm', tag: typing.Optional[str] = None
 ) -> types.auth.LoginResult:
-    host = (
-        request.META.get('HTTP_HOST') or request.META.get('SERVER_NAME') or 'auth_host'
-    )  # Last one is a placeholder in case we can't locate host name
+    # Last one is a placeholder in case we can't locate host name
+    server_name = (
+        request.META.get('SERVER_NAME') or request.META.get('HTTP_HOST') or 'auth_host'
+    )[:128]
 
     # Get Authenticators limitation
     if GlobalConfig.DISALLOW_GLOBAL_LOGIN.as_bool(False) is True:
         if not tag:
             try:
-                Authenticator.objects.get(small_name=host)
-                tag = host
+                Authenticator.objects.get(small_name=server_name)
+                tag = server_name
             except Exception:
                 try:
                     tag = Authenticator.objects.order_by('priority')[0].small_name