Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 047b8d0

Browse files
odanodan
authored
Security hardening
1 parent dbb6a71 commit 047b8d0

24 files changed

Lines changed: 369 additions & 721 deletions

Slim/App.php

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
use Psr\Http\Server\RequestHandlerInterface;
1818
use Psr\Log\LoggerInterface;
1919
use Slim\Interfaces\EmitterInterface;
20+
use Slim\Interfaces\RouteInterface;
2021
use Slim\Interfaces\RouterInterface;
2122
use Slim\Interfaces\ServerRequestCreatorInterface;
2223
use Slim\Middleware\EndpointMiddleware;
@@ -106,9 +107,9 @@ public function getContainer(): ContainerInterface
106107
* @param string $path The URI pattern for the route
107108
* @param callable|string $handler The route handler callable or controller method
108109
*
109-
* @return Route The newly created route instance
110+
* @return RouteInterface The newly created route instance
110111
*/
111-
public function map(array $methods, string $path, callable|string $handler): Route
112+
public function map(array $methods, string $path, callable|string $handler): RouteInterface
112113
{
113114
return $this->router->map($methods, $path, $handler);
114115
}
@@ -143,7 +144,7 @@ public function setBasePath(string $basePath): self
143144
*/
144145
public function getBasePath(): string
145146
{
146-
return $this->router->getBasePath();
147+
return $this->router->getBasePath() ?? '';
147148
}
148149

149150
/**

Slim/Exception/HttpMethodNotAllowedException.php

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,6 @@
1010

1111
namespace Slim\Exception;
1212

13-
use function implode;
14-
1513
final class HttpMethodNotAllowedException extends HttpSpecializedException
1614
{
1715
/**
@@ -46,7 +44,7 @@ public function getAllowedMethods(): array
4644
public function setAllowedMethods(array $methods): self
4745
{
4846
$this->allowedMethods = $methods;
49-
$this->message = 'Method not allowed. Must be one of: ' . implode(', ', $methods);
47+
$this->message = 'Method not allowed.';
5048

5149
return $this;
5250
}

Slim/Interfaces/RouteCollectionInterface.php

Lines changed: 16 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@
44

55
namespace Slim\Interfaces;
66

7-
use Slim\Routing\Route;
87
use Slim\Routing\RouteGroup;
98

109
/**
@@ -21,69 +20,69 @@ interface RouteCollectionInterface
2120
* @param string $path Route path.
2221
* @param callable|string $handler Route handler or controller action.
2322
*
24-
* @return Route
23+
* @return RouteInterface
2524
*/
26-
public function get(string $path, callable|string $handler): Route;
25+
public function get(string $path, callable|string $handler): RouteInterface;
2726

2827
/**
2928
* Register a POST route.
3029
*
3130
* @param string $path
3231
* @param callable|string $handler
3332
*
34-
* @return Route
33+
* @return RouteInterface
3534
*/
36-
public function post(string $path, callable|string $handler): Route;
35+
public function post(string $path, callable|string $handler): RouteInterface;
3736

3837
/**
3938
* Register a PUT route.
4039
*
4140
* @param string $path
4241
* @param callable|string $handler
4342
*
44-
* @return Route
43+
* @return RouteInterface
4544
*/
46-
public function put(string $path, callable|string $handler): Route;
45+
public function put(string $path, callable|string $handler): RouteInterface;
4746

4847
/**
4948
* Register a PATCH route.
5049
*
5150
* @param string $path
5251
* @param callable|string $handler
5352
*
54-
* @return Route
53+
* @return RouteInterface
5554
*/
56-
public function patch(string $path, callable|string $handler): Route;
55+
public function patch(string $path, callable|string $handler): RouteInterface;
5756

5857
/**
5958
* Register a DELETE route.
6059
*
6160
* @param string $path
6261
* @param callable|string $handler
6362
*
64-
* @return Route
63+
* @return RouteInterface
6564
*/
66-
public function delete(string $path, callable|string $handler): Route;
65+
public function delete(string $path, callable|string $handler): RouteInterface;
6766

6867
/**
6968
* Register an OPTIONS route.
7069
*
7170
* @param string $path
7271
* @param callable|string $handler
7372
*
74-
* @return Route
73+
* @return RouteInterface
7574
*/
76-
public function options(string $path, callable|string $handler): Route;
75+
public function options(string $path, callable|string $handler): RouteInterface;
7776

7877
/**
7978
* Register a route for any HTTP method.
8079
*
8180
* @param string $path
8281
* @param callable|string $handler
8382
*
84-
* @return Route
83+
* @return RouteInterface
8584
*/
86-
public function any(string $path, callable|string $handler): Route;
85+
public function any(string $path, callable|string $handler): RouteInterface;
8786

8887
/**
8988
* Register a route with multiple HTTP methods.
@@ -92,9 +91,9 @@ public function any(string $path, callable|string $handler): Route;
9291
* @param string $path Route path.
9392
* @param callable|string $handler Route handler.
9493
*
95-
* @return Route
94+
* @return RouteInterface
9695
*/
97-
public function map(array $methods, string $path, callable|string $handler): Route;
96+
public function map(array $methods, string $path, callable|string $handler): RouteInterface;
9897

9998
/**
10099
* Register a group of routes under a common path prefix.

Slim/Interfaces/RouterInterface.php

Lines changed: 11 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -5,25 +5,23 @@
55
use FastRoute\RouteCollector;
66
use InvalidArgumentException;
77
use Psr\Http\Server\MiddlewareInterface;
8-
use Slim\Routing\Route;
98
use Slim\Routing\RouteGroup;
10-
use Slim\Routing\Router;
119

1210
interface RouterInterface
1311
{
14-
public function get(string $path, callable|string $handler): Route;
12+
public function get(string $path, callable|string $handler): RouteInterface;
1513

16-
public function post(string $path, callable|string $handler): Route;
14+
public function post(string $path, callable|string $handler): RouteInterface;
1715

18-
public function put(string $path, callable|string $handler): Route;
16+
public function put(string $path, callable|string $handler): RouteInterface;
1917

20-
public function patch(string $path, callable|string $handler): Route;
18+
public function patch(string $path, callable|string $handler): RouteInterface;
2119

22-
public function delete(string $path, callable|string $handler): Route;
20+
public function delete(string $path, callable|string $handler): RouteInterface;
2321

24-
public function options(string $path, callable|string $handler): Route;
22+
public function options(string $path, callable|string $handler): RouteInterface;
2523

26-
public function any(string $pattern, callable|string $handler): Route;
24+
public function any(string $pattern, callable|string $handler): RouteInterface;
2725

2826
/**
2927
* @param array<string> $methods
@@ -32,22 +30,22 @@ public function any(string $pattern, callable|string $handler): Route;
3230
*
3331
* @throws InvalidArgumentException
3432
*/
35-
public function map(array $methods, string $path, callable|string $handler): Route;
33+
public function map(array $methods, string $path, callable|string $handler): RouteInterface;
3634

3735
public function group(string $path, callable $handler): RouteGroup;
3836

3937
public function getRouteCollector(): RouteCollector;
4038

4139
public function setBasePath(string $basePath): void;
4240

43-
public function getBasePath(): string;
41+
public function getBasePath(): ?string;
4442

4543
/**
4644
* @return array<MiddlewareInterface|callable|string>
4745
*/
4846
public function getMiddleware(): array;
4947

50-
public function add(MiddlewareInterface|callable|string $middleware): Router;
48+
public function add(MiddlewareInterface|callable|string $middleware): RouterInterface;
5149

52-
public function addMiddleware(MiddlewareInterface $middleware): Router;
50+
public function addMiddleware(MiddlewareInterface $middleware): RouterInterface;
5351
}

Slim/Middleware/BasePathMiddleware.php

Lines changed: 14 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -20,53 +20,41 @@ final class BasePathMiddleware implements MiddlewareInterface
2020
{
2121
private RouterInterface $router;
2222

23-
private string $phpSapi;
24-
25-
/**
26-
* The constructor.
27-
*
28-
* @param RouterInterface $router The router
29-
* @param string $phpSapi The type of interface between web server and PHP
30-
*
31-
* Supported: 'apache2handler'
32-
* Not supported: 'cgi', 'cgi-fcgi', 'fpm-fcgi', 'litespeed', 'cli-server'
33-
*/
34-
public function __construct(RouterInterface $router, string $phpSapi = PHP_SAPI)
23+
public function __construct(RouterInterface $router)
3524
{
36-
$this->phpSapi = $phpSapi;
3725
$this->router = $router;
3826
}
3927

4028
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
4129
{
42-
$basePath = '';
43-
44-
if ($this->phpSapi === 'apache2handler') {
45-
$basePath = $this->getBasePathByRequestUri($request);
30+
$basePath = $this->router->getBasePath();
31+
if ($basePath === null) {
32+
$basePath = $this->detectBasePath($request);
33+
$this->router->setBasePath($basePath);
4634
}
4735

48-
$this->router->setBasePath($basePath);
49-
5036
return $handler->handle($request);
5137
}
5238

5339
/**
54-
* Return basePath for most common webservers, such as Apache.
55-
* @param ServerRequestInterface $request
40+
* Return basePath for most common webservers.
5641
*/
57-
private function getBasePathByRequestUri(ServerRequestInterface $request): string
42+
private function detectBasePath(ServerRequestInterface $request): string
5843
{
59-
$basePath = $request->getUri()->getPath();
60-
$scriptName = $request->getServerParams()['SCRIPT_NAME'] ?? '';
44+
$serverParams = $request->getServerParams();
45+
$scriptName = $serverParams['SCRIPT_NAME'] ??
46+
$serverParams['PHP_SELF'] ??
47+
$serverParams['ORIG_SCRIPT_NAME'] ?? '';
6148
$scriptName = str_replace('\\', '/', dirname($scriptName, 2));
6249

6350
if ($scriptName === '/') {
6451
return '';
6552
}
6653

54+
$path = $request->getUri()->getPath();
6755
$length = strlen($scriptName);
68-
$basePath = $length > 0 ? substr($basePath, 0, $length) : $basePath;
56+
$path = $length > 0 ? substr($path, 0, $length) : $path;
6957

70-
return strlen($basePath) > 1 ? $basePath : '';
58+
return strlen($path) > 1 ? $path : '';
7159
}
7260
}

0 commit comments

Comments
 (0)