Fix CVE-2025-50578: Host Header Injection & Open Redirect

.env.example

@@ -4,6 +4,17 @@ APP_KEY=
 APP_DEBUG=false
 APP_URL=http://localhost
 
+# Trusted reverse proxy IP addresses (comma-separated)
+# By default, all private IP ranges are trusted (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 127.0.0.1)
+# Set this to restrict to specific proxy IP(s) for improved security:
+#   TRUSTED_PROXIES=192.168.1.10
+#   TRUSTED_PROXIES=192.168.1.10,192.168.1.11
+# Set to empty string to trust no proxies:
+#   TRUSTED_PROXIES=
+# Set to * to trust all proxies (use with caution):
+#   TRUSTED_PROXIES=*
+#TRUSTED_PROXIES=
+
 APP_LOCALE=en
 APP_FALLBACK_LOCALE=en
 APP_FAKER_LOCALE=en_US

app/Http/Controllers/Auth/LoginController.php

@@ -11,8 +11,6 @@
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
-use Illuminate\Support\Facades\Session;
-use Illuminate\Support\Facades\URL;
 use Illuminate\Validation\ValidationException;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -45,7 +43,6 @@ class LoginController extends Controller
      */
     public function __construct()
     {
-        Session::put('backUrl', URL::previous());
         $this->middleware('guest')->except(['logout','autologin']);
     }
 
@@ -135,14 +132,14 @@ public function showLoginForm(): \Illuminate\View\View
      */
     protected function authenticated(Request $request, $user): RedirectResponse
     {
-        return back();
+        return redirect()->route('dash');
     }
 
     /**
      * @return mixed|string
      */
     public function redirectTo()
     {
-        return Session::get('url.intended') ? Session::get('url.intended') : $this->redirectTo;
+        return $this->redirectTo;
     }
 }

app/Http/Middleware/RedirectIfAuthenticated.php

@@ -15,7 +15,7 @@ class RedirectIfAuthenticated
     public function handle(Request $request, Closure $next, string $guard = null): Response
     {
         if (Auth::guard($guard)->check()) {
-            return redirect()->intended();
+            return redirect('/');
         }
 
         return $next($request);

app/Http/Middleware/TrustProxies.php

@@ -10,14 +10,43 @@ class TrustProxies extends Middleware
     /**
      * The trusted proxies for this application.
      *
-     * @var array
+     * Set TRUSTED_PROXIES in your .env file to the IP address(es) of your reverse proxy.
+     * Use '*' to trust all proxies (not recommended for production).
+     * Use comma-separated values for multiple proxies (e.g., "192.168.1.10,192.168.1.11").
+     *
+     * @var array|string|null
      */
-    protected $proxies = ['192.168.0.0/16', '172.16.0.0/12', '10.0.0.0/8', '127.0.0.1'];
+    protected $proxies;
 
     /**
      * The current proxy header mappings.
      *
-     * @var array
+     * @var int
      */
     protected $headers = Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO | Request::HEADER_X_FORWARDED_AWS_ELB;
+
+    /**
+     * Default trusted proxies (private IP ranges for backwards compatibility).
+     */
+    private const DEFAULT_PROXIES = ['192.168.0.0/16', '172.16.0.0/12', '10.0.0.0/8', '127.0.0.1'];
+
+    /**
+     * Bootstrap the middleware.
+     */
+    public function __construct()
+    {
+        $proxies = env('TRUSTED_PROXIES');
+
+        if ($proxies === null) {
+            // Default to private IP ranges for backwards compatibility
+            $this->proxies = self::DEFAULT_PROXIES;
+        } elseif ($proxies === '*') {
+            $this->proxies = '*';
+        } elseif ($proxies === '') {
+            // Explicitly set to empty = trust no proxies
+            $this->proxies = [];
+        } else {
+            $this->proxies = array_map('trim', explode(',', $proxies));
+        }
+    }
 }