[Port dspace-8_x] Remove reliance on Host HTTP Header#5286
Merged
tdonohue merged 3 commits intoDSpace:dspace-8_xfrom Apr 6, 2026
Merged
[Port dspace-8_x] Remove reliance on Host HTTP Header#5286tdonohue merged 3 commits intoDSpace:dspace-8_xfrom
Host HTTP Header#5286tdonohue merged 3 commits intoDSpace:dspace-8_xfrom
Conversation
tdonohue
force-pushed
the
port_5276_to_8x
branch
from
daed22a to
891d037
Compare
tdonohue
changed the title
Host HTTP HeaderHost HTTP Header
tdonohue
added
the
needs documentation
…tting existing environment.ui.baseUrl. Replace ServerHardRedirectService.getCurrentOrigin() with getBaseUrl() to read this setting.
…calhost:4000. Override that default in several GitHub CI tasks as 127.0.0.1:4000 is required there.
…les because it's not listed in default-app-config.ts
tdonohue
force-pushed
the
port_5276_to_8x
branch
from
891d037 to
49e87d3
Compare
Member
Author
|
Please test this (or the 7.6.x version #5288) before merger. The automated tests all pass, which is a good sign. But, I feel we may want to verify this accurately fixes/patches the issues with the |
tdonohue
commented
Apr 6, 2026
Member
Author
tdonohue
left a comment
tdonohue
left a comment
There was a problem hiding this comment.
👍 I was able to manually test this today to verify that it accurately blocks all usage of the Host header, protecting against Angular CVE-2026-27739 similar to #5276.
github-project-automation
bot
moved this from 👍 Reviewer Approved
to ✅ Done
in DSpace Maintenance (9.x, 8.x, 7.6.x)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Manual port of #5276 to
dspace-8_x. Does NOT include the Angular 20 upgrade (obviously)As in #5276, a new frontend configuration is now required. However, it's only used for some redirects & for robots.txt in 8.x/7.x:
Needs documentation in Release Notes as this new configuration is likely a "breaking change"