New feature: enhance security with custom admin URL. (#4264)

* New feature: enhance security with  custom admin URL.

* Check if URL host matches custom admin URL.

* Fixed incorrect 404 error skin when using dev/openmage/nginx-frontend.conf

* Combined 2 if statements

* Added validation of custom admin url

* Removed unnecessary logic in store

* Update app/code/core/Mage/Core/Controller/Varien/Router/Admin.php

AI is correct! It is bad that str_contains() exposes a security vulnerability, "https://example.com/admin" would be able to access the admin panel because the host "example.com" may be contains in the admin URL "https://admin.example.com/".

Co-authored-by: Copilot <[email protected]>

* remove trim

* refactor: improve custom admin URL handling and add redirect flag

* Fix PHP-CS-Fixer

* refactor: enhance admin domain validation in routing

* Update app/code/core/Mage/Core/Controller/Varien/Router/Admin.php

---------

Co-authored-by: Sven Reichel <[email protected]>
Co-authored-by: Addison <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: 4 people

app/code/core/Mage/Adminhtml/Helper/Data.php

@@ -16,6 +16,7 @@ class Mage_Adminhtml_Helper_Data extends Mage_Adminhtml_Helper_Help_Mapping
 {
     public const XML_PATH_ADMINHTML_ROUTER_FRONTNAME   = 'admin/routers/adminhtml/args/frontName';
     public const XML_PATH_USE_CUSTOM_ADMIN_URL         = 'default/admin/url/use_custom';
+    public const XML_PATH_CUSTOM_ADMIN_URL             = 'default/admin/url/custom';
     public const XML_PATH_USE_CUSTOM_ADMIN_PATH        = 'default/admin/url/use_custom_path';
     public const XML_PATH_CUSTOM_ADMIN_PATH            = 'default/admin/url/custom_path';
     public const XML_PATH_ADMINHTML_SECURITY_USE_FORM_KEY = 'admin/security/use_form_key';
@@ -78,6 +79,20 @@ public static function getUrl($route = '', $params = [])
         return Mage::getModel('adminhtml/url')->getUrl($route, $params);
     }
 
+    /**
+     * Get custom admin URL (validated and normalized when saved via admin panel)
+     */
+    public static function getCustomAdminUrl(): string
+    {
+        $config = Mage::getConfig();
+
+        // Check if use custom admin URL is enabled
+        $useCustom = (int) $config->getNode(self::XML_PATH_USE_CUSTOM_ADMIN_URL);
+        return $useCustom
+            ? (string) $config->getNode(self::XML_PATH_CUSTOM_ADMIN_URL)
+            : '';
+    }
+
     /**
      * @return false|int
      */

app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Admin/Custom.php

@@ -23,19 +23,71 @@ class Mage_Adminhtml_Model_System_Config_Backend_Admin_Custom extends Mage_Core_
     public const XML_PATH_SECURE_BASE_LINK_URL     = 'web/secure/base_link_url';
 
     /**
-     * Validate value before save
+     * Validate custom admin URL before save
      *
      * @return $this
+     * @throws Mage_Core_Exception
      */
     protected function _beforeSave()
     {
-        $value = $this->getValue();
+        $value = trim($this->getValue());
+
+        // Empty is allowed (disabled custom admin URL)
+        if (empty($value)) {
+            $this->setValue($value);
+            return $this;
+        }
+
+        // Whitelist: only allow valid base URL characters
+        // Valid for base URL: letters, numbers, and URL-safe characters (: / . - _ [ ])
+        if (!preg_match('/^[a-zA-Z0-9:\/.\-_\[\]]+$/', $value)) {
+            Mage::throwException(
+                Mage::helper('adminhtml')->__('Custom Admin URL contains invalid characters.'),
+            );
+        }
+
+        // Parse the URL
+        $urlParts = parse_url($value);
+
+        if ($urlParts === false) {
+            Mage::throwException(
+                Mage::helper('adminhtml')->__('Invalid Custom Admin URL format.'),
+            );
+        }
+
+        // Must have protocol
+        if (!isset($urlParts['scheme'])) {
+            Mage::throwException(
+                Mage::helper('adminhtml')->__('Custom Admin URL must include protocol (http:// or https://).'),
+            );
+        }
+
+        // Only allow http and https
+        if (!in_array($urlParts['scheme'], ['http', 'https'])) {
+            Mage::throwException(
+                Mage::helper('adminhtml')->__('Custom Admin URL must use http:// or https:// protocol.'),
+            );
+        }
+
+        // Must have hostname
+        if (!isset($urlParts['host']) || empty($urlParts['host'])) {
+            Mage::throwException(
+                Mage::helper('adminhtml')->__('Custom Admin URL must include a hostname.'),
+            );
+        }
 
-        if (!empty($value) && !str_ends_with($value, '}}')) {
-            $value = rtrim($value, '/') . '/';
+        // Ensure trailing slash
+        if (!str_ends_with($value, '/')) {
+            $value .= '/';
         }
 
         $this->setValue($value);
+
+        // Set redirect flag if custom admin URL changed
+        if ($this->getOldValue() != $value) {
+            Mage::register('custom_admin_path_redirect', true, true);
+        }
+
         return $this;
     }
 
@@ -49,24 +101,24 @@ public function _afterSave()
         $useCustomUrl = $this->getData('groups/url/fields/use_custom/value');
         $value = $this->getValue();
 
-        if ($useCustomUrl == 1 && empty($value)) {
+        // If use_custom is disabled OR value is empty, just save the value (don't update base URLs)
+        if ($useCustomUrl != 1 || empty($value)) {
             return $this;
         }
 
-        if ($useCustomUrl == 1) {
-            Mage::getConfig()->saveConfig(
-                self::XML_PATH_SECURE_BASE_URL,
-                $value,
-                self::CONFIG_SCOPE,
-                self::CONFIG_SCOPE_ID,
-            );
-            Mage::getConfig()->saveConfig(
-                self::XML_PATH_UNSECURE_BASE_URL,
-                $value,
-                self::CONFIG_SCOPE,
-                self::CONFIG_SCOPE_ID,
-            );
-        }
+        // If use_custom is enabled AND value is not empty, update base URLs
+        Mage::getConfig()->saveConfig(
+            self::XML_PATH_SECURE_BASE_URL,
+            $value,
+            self::CONFIG_SCOPE,
+            self::CONFIG_SCOPE_ID,
+        );
+        Mage::getConfig()->saveConfig(
+            self::XML_PATH_UNSECURE_BASE_URL,
+            $value,
+            self::CONFIG_SCOPE,
+            self::CONFIG_SCOPE_ID,
+        );
 
         return $this;
     }

app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Admin/Usecustom.php

@@ -54,6 +54,11 @@ protected function _afterSave()
             );
         }
 
+        // Set redirect flag if use custom admin URL changed
+        if ($this->getOldValue() != $value) {
+            Mage::register('custom_admin_path_redirect', true, true);
+        }
+
         return $this;
     }
 }

app/code/core/Mage/Core/Controller/Varien/Router/Admin.php

@@ -36,12 +36,33 @@ protected function _getDefaultPath()
     }
 
     /**
-     * dummy call to pass through checking
+     * Validate admin domain before routing
      *
      * @return bool
      */
     protected function _beforeModuleMatch()
     {
+        // Check if custom admin domain is configured
+        if ($adminUrl = Mage_Adminhtml_Helper_Data::getCustomAdminUrl()) {
+            $adminHost = parse_url($adminUrl, PHP_URL_HOST);
+            if (!$adminHost) {
+                // Should never happen - URL is validated when saved
+                // If it does, fail secure (possible database corruption/bypass)
+                Mage::log(
+                    "Unable to parse custom admin URL host: {$adminUrl}. Access denied for security.",
+                    Zend_Log::ERR,
+                    'system.log',
+                );
+                return false;
+            }
+
+            $currentHost = $this->getFront()->getRequest()->getHttpHost();
+            // Strip port for comparison (getHttpHost may include port)
+            $currentHost = preg_replace('/:\d+$/', '', $currentHost);
+
+            return strtolower($adminHost) === strtolower($currentHost);
+        }
+
         return true;
     }
 

app/locale/en_US/Mage_Adminhtml.csv

@@ -281,6 +281,10 @@
 "Current Configuration Scope:","Current Configuration Scope:"
 "Current Month","Current Month"
 "Custom","Custom"
+"Custom Admin URL contains invalid characters.","Custom Admin URL contains invalid characters."
+"Custom Admin URL must include a hostname.","Custom Admin URL must include a hostname."
+"Custom Admin URL must include protocol (http:// or https://).","Custom Admin URL must include protocol (http:// or https://)."
+"Custom Admin URL must use http:// or https:// protocol.","Custom Admin URL must use http:// or https:// protocol."
 "Custom Variable ""%s""","Custom Variable ""%s"""
 "Custom Variables","Custom Variables"
 "Customer","Customer"
@@ -484,6 +488,7 @@
 "Insert Variable...","Insert Variable..."
 "Interactive","Interactive"
 "Interface Locale: %s","Interface Locale: %s"
+"Invalid Custom Admin URL format.","Invalid Custom Admin URL format."
 "Invalid Form Key. Please refresh the page.","Invalid Form Key. Please refresh the page."
 "Invalid Import Service Specified","Invalid Import Service Specified"
 "Invalid POST data (please check post_max_size and upload_max_filesize settings in your php.ini file).","Invalid POST data (please check post_max_size and upload_max_filesize settings in your php.ini file)."

errors/processor.php

@@ -489,9 +489,7 @@ protected function _validate(): bool
      */
     protected function _setSkin(string $value, ?stdClass $config = null)
     {
-        if (preg_match('/^[a-z0-9_]+$/i', $value)
-            && is_dir($this->_indexDir . self::ERROR_DIR . '/' . $value)
-        ) {
+        if (preg_match('/^[a-z0-9_]+$/i', $value) && is_dir($this->_errorDir . $value)) {
             if (!$config && $this->_config) {
                 $config = $this->_config;
             }