Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit fbea094

Browse files
jderussejderusse
committed
Deprecate HEADER_X_FORWARDED_ALL constant
1 parent 8bac7a0 commit fbea094

File tree

11 files changed

+68
-22
lines changed

11 files changed

+68
-22
lines changed

UPGRADE-5.2.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ FrameworkBundle
1616
used to be added by default to the seed, which is not the case anymore. This allows sharing caches between
1717
apps or different environments.
1818
* Deprecated the `lock.RESOURCE_NAME` and `lock.RESOURCE_NAME.store` services and the `lock`, `LockInterface`, `lock.store` and `PersistingStoreInterface` aliases, use `lock.RESOURCE_NAME.factory`, `lock.factory` or `LockFactory` instead.
19+
* Deprecated the `x-forwarded-all`, `!x-forwarded-host` and `!x-forwarded-prefix` options, use `x-forwarded-for, x-forwarded-host, x-forwarded-port, x-forwarded-proto` options instead.
1920

2021
Form
2122
----
@@ -43,6 +44,7 @@ HttpFoundation
4344
--------------
4445

4546
* Deprecated not passing a `Closure` together with `FILTER_CALLBACK` to `ParameterBag::filter()`; wrap your filter in a closure instead.
47+
* Deprecated the `Request::HEADER_X_FORWARDED_ALL` constant, use either `Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO` or `Request::HEADER_X_FORWARDED_AWS_ELB` or `Request::HEADER_X_FORWARDED_TRAEFIK`constants instead.
4648

4749
Lock
4850
----

UPGRADE-6.0.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,7 @@ FrameworkBundle
5959
* The `form.factory`, `form.type.file`, `translator`, `security.csrf.token_manager`, `serializer`,
6060
`cache_clearer`, `filesystem` and `validator` services are now private.
6161
* Removed the `lock.RESOURCE_NAME` and `lock.RESOURCE_NAME.store` services and the `lock`, `LockInterface`, `lock.store` and `PersistingStoreInterface` aliases, use `lock.RESOURCE_NAME.factory`, `lock.factory` or `LockFactory` instead.
62+
* Removed the `x-forwarded-all`, `!x-forwarded-host` and `!x-forwarded-prefix` options, use `x-forwarded-for, x-forwarded-host, x-forwarded-port, x-forwarded-proto` options instead.
6263

6364
HttpFoundation
6465
--------------
@@ -67,6 +68,7 @@ HttpFoundation
6768
`RedirectResponse::create()`, and `StreamedResponse::create()` methods (use
6869
`__construct()` instead)
6970
* Not passing a `Closure` together with `FILTER_CALLBACK` to `ParameterBag::filter()` throws an `InvalidArgumentException`; wrap your filter in a closure instead.
71+
* Removed the `Request::HEADER_X_FORWARDED_ALL` constant, use either `Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO` or `Request::HEADER_X_FORWARDED_AWS_ELB` or `Request::HEADER_X_FORWARDED_TRAEFIK`constants instead.
7072

7173
HttpKernel
7274
----------

src/Symfony/Bridge/Monolog/Tests/Processor/WebProcessorTest.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ public function testUsesRequestServerData()
3838

3939
public function testUseRequestClientIp()
4040
{
41-
Request::setTrustedProxies(['192.168.0.1'], Request::HEADER_X_FORWARDED_ALL);
41+
Request::setTrustedProxies(['192.168.0.1'], Request::HEADER_X_FORWARDED_FOR);
4242
[$event, $server] = $this->createRequestEvent(['X_FORWARDED_FOR' => '192.168.0.2']);
4343

4444
$processor = new WebProcessor();

src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@ CHANGELOG
1515
* added `assertFormValue()` and `assertNoFormValue()` in `WebTestCase`
1616
* Added "--as-tree=3" option to `translation:update` command to dump messages as a tree-like structure. The given value defines the level where to switch to inline YAML
1717
* Deprecated the `lock.RESOURCE_NAME` and `lock.RESOURCE_NAME.store` services and the `lock`, `LockInterface`, `lock.store` and `PersistingStoreInterface` aliases, use `lock.RESOURCE_NAME.factory`, `lock.factory` or `LockFactory` instead.
18+
* Deprecated the `x-forwarded-all`, `!x-forwarded-host` and `!x-forwarded-prefix` options, use `x-forwarded-for, x-forwarded-host, x-forwarded-port, x-forwarded-proto` options instead.
19+
1820

1921
5.1.0
2022
-----

src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,7 @@ public function getConfigTreeBuilder()
9292
->arrayNode('trusted_headers')
9393
->fixXmlConfig('trusted_header')
9494
->performNoDeepMerging()
95-
->defaultValue(['x-forwarded-all', '!x-forwarded-host', '!x-forwarded-prefix'])
95+
->defaultValue(['x-forwarded-for', 'x-forwarded-port', 'x-forwarded-proto'])
9696
->beforeNormalization()->ifString()->then(function ($v) { return $v ? array_map('trim', explode(',', $v)) : []; })->end()
9797
->enumPrototype()
9898
->values([

src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2294,12 +2294,19 @@ private function resolveTrustedHeaders(array $headers): int
22942294
case 'x-forwarded-host': $trustedHeaders |= Request::HEADER_X_FORWARDED_HOST; break;
22952295
case 'x-forwarded-proto': $trustedHeaders |= Request::HEADER_X_FORWARDED_PROTO; break;
22962296
case 'x-forwarded-port': $trustedHeaders |= Request::HEADER_X_FORWARDED_PORT; break;
2297-
case '!x-forwarded-host': $trustedHeaders &= ~Request::HEADER_X_FORWARDED_HOST; break;
2297+
case '!x-forwarded-host':
2298+
trigger_deprecation('symfony/framework-bundle', '5.2', 'The "!x-forwarded-host" configuration option is deprecated, and will be removed in version 6.0.');
2299+
$trustedHeaders &= ~Request::HEADER_X_FORWARDED_HOST;
2300+
break;
2301+
case '!x-forwarded-prefix':
2302+
trigger_deprecation('symfony/framework-bundle', '5.2', 'The "!x-forwarded-prefix" configuration option is deprecated, and will be removed in version 6.0.');
2303+
break;
22982304
case 'x-forwarded-all':
2305+
trigger_deprecation('symfony/framework-bundle', '5.2', 'The "x-forwarded-all" configuration option is deprecated, use "x-forwarded-for, x-forwarded-host, x-forwarded-port, x-forwarded-proto" options instead.');
22992306
if (!\in_array('!x-forwarded-prefix', $headers)) {
23002307
throw new LogicException('When using "x-forwarded-all" in "framework.trusted_headers", "!x-forwarded-prefix" must be explicitly listed until support for X-Forwarded-Prefix is implemented.');
23012308
}
2302-
$trustedHeaders |= Request::HEADER_X_FORWARDED_ALL;
2309+
$trustedHeaders |= Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO;
23032310
break;
23042311
}
23052312
}

src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -341,9 +341,9 @@ protected static function getBundleDefaultConfig()
341341
'secret' => 's3cr3t',
342342
'trusted_hosts' => [],
343343
'trusted_headers' => [
344-
'x-forwarded-all',
345-
'!x-forwarded-host',
346-
'!x-forwarded-prefix',
344+
'x-forwarded-for',
345+
'x-forwarded-port',
346+
'x-forwarded-proto',
347347
],
348348
'csrf_protection' => [
349349
'enabled' => false,

src/Symfony/Component/HttpFoundation/CHANGELOG.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,11 @@
11
CHANGELOG
22
=========
33

4+
5.3.0
5+
-----
6+
7+
* Deprecated the `Request::HEADER_X_FORWARDED_ALL` constant, use either `HEADER_X_FORWARDED_FOR | HEADER_X_FORWARDED_HOST | HEADER_X_FORWARDED_PORT | HEADER_X_FORWARDED_PROTO` or `HEADER_X_FORWARDED_AWS_ELB` or `HEADER_X_FORWARDED_TRAEFIK` constants instead.
8+
49
5.2.0
510
-----
611

src/Symfony/Component/HttpFoundation/Request.php

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -47,9 +47,10 @@ class Request
4747
const HEADER_X_FORWARDED_PORT = 0b010000;
4848
const HEADER_X_FORWARDED_PREFIX = 0b100000;
4949

50-
const HEADER_X_FORWARDED_ALL = 0b011110; // All "X-Forwarded-*" headers sent by "usual" reverse proxy
51-
const HEADER_X_FORWARDED_AWS_ELB = 0b011010; // AWS ELB doesn't send X-Forwarded-Host
52-
const HEADER_X_FORWARDED_TRAEFIK = 0b111110; // All "X-Forwarded-*" headers sent by Traefik reverse proxy
50+
/** @deprecated since Symfony 5.3, use either "HEADER_X_FORWARDED_FOR | HEADER_X_FORWARDED_HOST | HEADER_X_FORWARDED_PORT | HEADER_X_FORWARDED_PROTO" or "HEADER_X_FORWARDED_AWS_ELB" or "HEADER_X_FORWARDED_TRAEFIK" constants instead. */
51+
const HEADER_X_FORWARDED_ALL = 0b1011110; // All "X-Forwarded-*" headers sent by "usual" reverse proxy
52+
const HEADER_X_FORWARDED_AWS_ELB = 0b0011010; // AWS ELB doesn't send X-Forwarded-Host
53+
const HEADER_X_FORWARDED_TRAEFIK = 0b0111110; // All "X-Forwarded-*" headers sent by Traefik reverse proxy
5354

5455
const METHOD_HEAD = 'HEAD';
5556
const METHOD_GET = 'GET';
@@ -593,6 +594,9 @@ public function overrideGlobals()
593594
*/
594595
public static function setTrustedProxies(array $proxies, int $trustedHeaderSet)
595596
{
597+
if (self::HEADER_X_FORWARDED_ALL === $trustedHeaderSet) {
598+
trigger_deprecation('symfony/http-fundation', '5.3', 'The "HEADER_X_FORWARDED_ALL" constant is deprecated, use either "HEADER_X_FORWARDED_FOR | HEADER_X_FORWARDED_HOST | HEADER_X_FORWARDED_PORT | HEADER_X_FORWARDED_PROTO" or "HEADER_X_FORWARDED_AWS_ELB" or "HEADER_X_FORWARDED_TRAEFIK" constants instead.');
599+
}
596600
self::$trustedProxies = array_reduce($proxies, function ($proxies, $proxy) {
597601
if ('REMOTE_ADDR' !== $proxy) {
598602
$proxies[] = $proxy;

src/Symfony/Component/HttpFoundation/Tests/RequestTest.php

Lines changed: 35 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
namespace Symfony\Component\HttpFoundation\Tests;
1313

1414
use PHPUnit\Framework\TestCase;
15+
use Symfony\Bridge\PhpUnit\ExpectDeprecationTrait;
1516
use Symfony\Component\HttpFoundation\Exception\JsonException;
1617
use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
1718
use Symfony\Component\HttpFoundation\InputBag;
@@ -22,6 +23,8 @@
2223

2324
class RequestTest extends TestCase
2425
{
26+
use ExpectDeprecationTrait;
27+
2528
protected function tearDown(): void
2629
{
2730
Request::setTrustedProxies([], -1);
@@ -867,7 +870,7 @@ public function testGetPort()
867870

868871
$this->assertEquals(80, $port, 'Without trusted proxies FORWARDED_PROTO and FORWARDED_PORT are ignored.');
869872

870-
Request::setTrustedProxies(['1.1.1.1'], Request::HEADER_X_FORWARDED_ALL);
873+
Request::setTrustedProxies(['1.1.1.1'], Request::HEADER_X_FORWARDED_PROTO | Request::HEADER_X_FORWARDED_PORT);
871874
$request = Request::create('http://example.com', 'GET', [], [], [], [
872875
'HTTP_X_FORWARDED_PROTO' => 'https',
873876
'HTTP_X_FORWARDED_PORT' => '8443',
@@ -1091,7 +1094,7 @@ public function testGetClientIpsWithConflictingHeaders($httpForwarded, $httpXFor
10911094
'HTTP_X_FORWARDED_FOR' => $httpXForwardedFor,
10921095
];
10931096

1094-
Request::setTrustedProxies(['88.88.88.88'], Request::HEADER_X_FORWARDED_ALL | Request::HEADER_FORWARDED);
1097+
Request::setTrustedProxies(['88.88.88.88'], Request::HEADER_X_FORWARDED_FOR | Request::HEADER_FORWARDED);
10951098

10961099
$request->initialize([], [], [], [], [], $server);
10971100

@@ -1349,7 +1352,7 @@ public function testOverrideGlobals()
13491352

13501353
$request->headers->set('X_FORWARDED_PROTO', 'https');
13511354

1352-
Request::setTrustedProxies(['1.1.1.1'], Request::HEADER_X_FORWARDED_ALL);
1355+
Request::setTrustedProxies(['1.1.1.1'], Request::HEADER_X_FORWARDED_PROTO);
13531356
$this->assertFalse($request->isSecure());
13541357
$request->server->set('REMOTE_ADDR', '1.1.1.1');
13551358
$this->assertTrue($request->isSecure());
@@ -1830,7 +1833,7 @@ private function getRequestInstanceForClientIpTests(string $remoteAddr, ?string
18301833
}
18311834

18321835
if ($trustedProxies) {
1833-
Request::setTrustedProxies($trustedProxies, Request::HEADER_X_FORWARDED_ALL);
1836+
Request::setTrustedProxies($trustedProxies, Request::HEADER_X_FORWARDED_FOR);
18341837
}
18351838

18361839
$request->initialize([], [], [], [], [], $server);
@@ -1873,35 +1876,35 @@ public function testTrustedProxiesXForwardedFor()
18731876
$this->assertFalse($request->isSecure());
18741877

18751878
// disabling proxy trusting
1876-
Request::setTrustedProxies([], Request::HEADER_X_FORWARDED_ALL);
1879+
Request::setTrustedProxies([], Request::HEADER_X_FORWARDED_FOR);
18771880
$this->assertEquals('3.3.3.3', $request->getClientIp());
18781881
$this->assertEquals('example.com', $request->getHost());
18791882
$this->assertEquals(80, $request->getPort());
18801883
$this->assertFalse($request->isSecure());
18811884

18821885
// request is forwarded by a non-trusted proxy
1883-
Request::setTrustedProxies(['2.2.2.2'], Request::HEADER_X_FORWARDED_ALL);
1886+
Request::setTrustedProxies(['2.2.2.2'], Request::HEADER_X_FORWARDED_FOR);
18841887
$this->assertEquals('3.3.3.3', $request->getClientIp());
18851888
$this->assertEquals('example.com', $request->getHost());
18861889
$this->assertEquals(80, $request->getPort());
18871890
$this->assertFalse($request->isSecure());
18881891

18891892
// trusted proxy via setTrustedProxies()
1890-
Request::setTrustedProxies(['3.3.3.3', '2.2.2.2'], Request::HEADER_X_FORWARDED_ALL);
1893+
Request::setTrustedProxies(['3.3.3.3', '2.2.2.2'], Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO);
18911894
$this->assertEquals('1.1.1.1', $request->getClientIp());
18921895
$this->assertEquals('foo.example.com', $request->getHost());
18931896
$this->assertEquals(443, $request->getPort());
18941897
$this->assertTrue($request->isSecure());
18951898

18961899
// trusted proxy via setTrustedProxies()
1897-
Request::setTrustedProxies(['3.3.3.4', '2.2.2.2'], Request::HEADER_X_FORWARDED_ALL);
1900+
Request::setTrustedProxies(['3.3.3.4', '2.2.2.2'], Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO);
18981901
$this->assertEquals('3.3.3.3', $request->getClientIp());
18991902
$this->assertEquals('example.com', $request->getHost());
19001903
$this->assertEquals(80, $request->getPort());
19011904
$this->assertFalse($request->isSecure());
19021905

19031906
// check various X_FORWARDED_PROTO header values
1904-
Request::setTrustedProxies(['3.3.3.3', '2.2.2.2'], Request::HEADER_X_FORWARDED_ALL);
1907+
Request::setTrustedProxies(['3.3.3.3', '2.2.2.2'], Request::HEADER_X_FORWARDED_PROTO);
19051908
$request->headers->set('X_FORWARDED_PROTO', 'ssl');
19061909
$this->assertTrue($request->isSecure());
19071910

@@ -2377,7 +2380,7 @@ public function testTrustedPort()
23772380

23782381
public function testTrustedPortDoesNotDefaultToZero()
23792382
{
2380-
Request::setTrustedProxies(['1.1.1.1'], Request::HEADER_X_FORWARDED_ALL);
2383+
Request::setTrustedProxies(['1.1.1.1'], Request::HEADER_X_FORWARDED_FOR);
23812384

23822385
$request = Request::create('/');
23832386
$request->server->set('REMOTE_ADDR', '1.1.1.1');
@@ -2393,7 +2396,7 @@ public function testTrustedPortDoesNotDefaultToZero()
23932396
public function testTrustedProxiesRemoteAddr($serverRemoteAddr, $trustedProxies, $result)
23942397
{
23952398
$_SERVER['REMOTE_ADDR'] = $serverRemoteAddr;
2396-
Request::setTrustedProxies($trustedProxies, Request::HEADER_X_FORWARDED_ALL);
2399+
Request::setTrustedProxies($trustedProxies, Request::HEADER_X_FORWARDED_FOR);
23972400
$this->assertSame($result, Request::getTrustedProxies());
23982401
}
23992402

@@ -2464,6 +2467,27 @@ public function preferSafeContentData()
24642467
],
24652468
];
24662469
}
2470+
2471+
/**
2472+
* @group legacy
2473+
*/
2474+
public function testXForwarededAllConstantDeprecated()
2475+
{
2476+
$this->expectDeprecation('Since symfony/http-fundation 5.2: The "HEADER_X_FORWARDED_ALL" constant is deprecated, use either "HEADER_X_FORWARDED_FOR | HEADER_X_FORWARDED_HOST | HEADER_X_FORWARDED_PORT | HEADER_X_FORWARDED_PROTO" or "HEADER_X_FORWARDED_AWS_ELB" or "HEADER_X_FORWARDED_TRAEFIK" constants instead.');
2477+
2478+
Request::setTrustedProxies([], Request::HEADER_X_FORWARDED_ALL);
2479+
}
2480+
2481+
/**
2482+
* The flag 0b10000000 is used to identify the constant HEADER_X_FORWARDED_ALL
2483+
* To be removed in 6.0.
2484+
*/
2485+
public function testReservedFlags()
2486+
{
2487+
foreach ((new \ReflectionClass(Request::class))->getConstants() as $constant => $value) {
2488+
$this->assertNotSame(0b10000000, $value, sprintf('The constant "%s" should not used the reserved value "0b10000000".', $constant));
2489+
}
2490+
}
24672491
}
24682492

24692493
class RequestContentProxy extends Request

src/Symfony/Component/HttpKernel/Tests/HttpCache/HttpCacheTest.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1361,7 +1361,7 @@ public function testClientIpIsAlwaysLocalhostForForwardedRequests()
13611361
*/
13621362
public function testHttpCacheIsSetAsATrustedProxy(array $existing)
13631363
{
1364-
Request::setTrustedProxies($existing, Request::HEADER_X_FORWARDED_ALL);
1364+
Request::setTrustedProxies($existing, Request::HEADER_X_FORWARDED_FOR);
13651365

13661366
$this->setNextResponse();
13671367
$this->request('GET', '/', ['REMOTE_ADDR' => '10.0.0.1']);

0 commit comments

Comments
 (0)