Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[HttpKernel] fix forwarding trusted headers as server parameters #28241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 24, 2018
Merged

[HttpKernel] fix forwarding trusted headers as server parameters #28241

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/Symfony/Component/HttpFoundation/Request.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1991,7 +1991,7 @@ private function normalizeAndFilterClientIps(array $clientIps, $ip)
if ($i) {
$clientIps[$key] = $clientIp = substr($clientIp, 0, $i);
}
} elseif ('[' == $clientIp[0]) {
} elseif (0 === strpos($clientIp, '[')) {
// Strip brackets and :port from IPv6 addresses.
$i = strpos($clientIp, ']', 1);
$clientIps[$key] = $clientIp = substr($clientIp, 1, $i - 1);
Expand Down
6 changes: 3 additions & 3 deletions src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -868,7 +868,7 @@ public function getClientIpsForwardedProvider()

public function getClientIpsProvider()
{
// $expected $remoteAddr $httpForwardedFor $trustedProxies
// $expected $remoteAddr $httpForwardedFor $trustedProxies
return array(
// simple IPv4
array(array('88.88.88.88'), '88.88.88.88', null, null),
Expand All @@ -882,8 +882,8 @@ public function getClientIpsProvider()

// forwarded for with remote IPv4 addr not trusted
array(array('127.0.0.1'), '127.0.0.1', '88.88.88.88', null),
// forwarded for with remote IPv4 addr trusted
array(array('88.88.88.88'), '127.0.0.1', '88.88.88.88', array('127.0.0.1')),
// forwarded for with remote IPv4 addr trusted + comma
array(array('88.88.88.88'), '127.0.0.1', '88.88.88.88,', array('127.0.0.1')),
// forwarded for with remote IPv4 and all FF addrs trusted
array(array('88.88.88.88'), '127.0.0.1', '88.88.88.88', array('127.0.0.1', '88.88.88.88')),
// forwarded for with remote IPv4 range trusted
Expand Down
10 changes: 7 additions & 3 deletions src/Symfony/Component/HttpKernel/HttpCache/SubRequestHandler.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ public static function handle(HttpKernelInterface $kernel, Request $request, $ty
if (!IpUtils::checkIp($remoteAddr, $trustedProxies)) {
foreach (array_filter($trustedHeaders) as $name) {
$request->headers->remove($name);
$request->server->remove('HTTP_'.strtoupper(str_replace('-', '_', $name)));
}
}

Expand All @@ -61,13 +62,16 @@ public static function handle(HttpKernelInterface $kernel, Request $request, $ty
// set trusted values, reusing as much as possible the global trusted settings
if ($name = $trustedHeaders[Request::HEADER_FORWARDED]) {
$trustedValues[0] .= sprintf(';host="%s";proto=%s', $request->getHttpHost(), $request->getScheme());
$request->headers->set($name, implode(', ', $trustedValues));
$request->headers->set($name, $v = implode(', ', $trustedValues));
$request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);
}
if ($name = $trustedHeaders[Request::HEADER_CLIENT_IP]) {
$request->headers->set($name, implode(', ', $trustedIps));
$request->headers->set($name, $v = implode(', ', $trustedIps));
$request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);
}
if (!$name && !$trustedHeaders[Request::HEADER_FORWARDED]) {
$request->headers->set('X-Forwarded-For', implode(', ', $trustedIps));
$request->headers->set('X-Forwarded-For', $v = implode(', ', $trustedIps));
$request->server->set('HTTP_X_FORWARDED_FOR', $v);
Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, 'X_FORWARDED_FOR');
}

Expand Down
11 changes: 11 additions & 0 deletions src/Symfony/Component/HttpKernel/Tests/Fragment/InlineFragmentRendererTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@ public function testRenderWithObjectsAsAttributes()
$subRequest->attributes->replace(array('object' => $object, '_format' => 'html', '_controller' => 'main_controller', '_locale' => 'en'));
$subRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
$subRequest->headers->set('forwarded', array('for="127.0.0.1";host="localhost";proto=http'));
$subRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
$subRequest->server->set('HTTP_FORWARDED', 'for="127.0.0.1";host="localhost";proto=http');

$strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest($subRequest));

Expand Down Expand Up @@ -91,6 +93,7 @@ public function testRenderWithTrustedHeaderDisabled()

$expectedSubRequest = Request::create('/');
$expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
$expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');

$strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest($expectedSubRequest));
$this->assertSame('foo', $strategy->render('/', Request::create('/'))->getContent());
Expand Down Expand Up @@ -178,8 +181,10 @@ public function testESIHeaderIsKeptInSubrequest()
$expectedSubRequest->headers->set('Surrogate-Capability', 'abc="ESI/1.0"');
if (Request::getTrustedHeaderName(Request::HEADER_CLIENT_IP)) {
$expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
$expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
}
$expectedSubRequest->headers->set('forwarded', array('for="127.0.0.1";host="localhost";proto=http'));
$expectedSubRequest->server->set('HTTP_FORWARDED', 'for="127.0.0.1";host="localhost";proto=http');

$strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest($expectedSubRequest));

Expand All @@ -203,6 +208,8 @@ public function testHeadersPossiblyResultingIn304AreNotAssignedToSubrequest()
$expectedSubRequest = Request::create('/');
$expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
$expectedSubRequest->headers->set('forwarded', array('for="127.0.0.1";host="localhost";proto=http'));
$expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
$expectedSubRequest->server->set('HTTP_FORWARDED', 'for="127.0.0.1";host="localhost";proto=http');

$strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest($expectedSubRequest));
$request = Request::create('/', 'GET', array(), array(), array(), array('HTTP_IF_MODIFIED_SINCE' => 'Fri, 01 Jan 2016 00:00:00 GMT', 'HTTP_IF_NONE_MATCH' => '*'));
Expand All @@ -216,6 +223,8 @@ public function testFirstTrustedProxyIsSetAsRemote()
$expectedSubRequest->server->set('REMOTE_ADDR', '127.0.0.1');
$expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
$expectedSubRequest->headers->set('forwarded', array('for="127.0.0.1";host="localhost";proto=http'));
$expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
$expectedSubRequest->server->set('HTTP_FORWARDED', 'for="127.0.0.1";host="localhost";proto=http');

Request::setTrustedProxies(array('1.1.1.1'));

Expand All @@ -235,6 +244,8 @@ public function testIpAddressOfRangedTrustedProxyIsSetAsRemote()
$expectedSubRequest->server->set('REMOTE_ADDR', '127.0.0.1');
$expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
$expectedSubRequest->headers->set('forwarded', array('for="127.0.0.1";host="localhost";proto=http'));
$expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
$expectedSubRequest->server->set('HTTP_FORWARDED', 'for="127.0.0.1";host="localhost";proto=http');

Request::setTrustedProxies(array('1.1.1.1/24'));

Expand Down