Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 2554ad0

Browse filesBrowse files
nicolas-grekasnicolas-grekas
committed
bug #28241 [HttpKernel] fix forwarding trusted headers as server parameters (nicolas-grekas)
This PR was merged into the 2.8 branch. Discussion ---------- [HttpKernel] fix forwarding trusted headers as server parameters | Q | A | ------------- | --- | Branch? | 2.8 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #28233, #28226, #28225, #28240 | License | MIT | Doc PR | - Commits ------- 9295348 [HttpKernel] fix forwarding trusted headers as server parameters
2 parents 77cd8b6 + 9295348 commit 2554ad0
Copy full SHA for 2554ad0

File tree

Expand file treeCollapse file tree

4 files changed

+22
-7
lines changed
Filter options
Expand file treeCollapse file tree

4 files changed

+22
-7
lines changed

‎src/Symfony/Component/HttpFoundation/Request.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpFoundation/Request.php
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1991,7 +1991,7 @@ private function normalizeAndFilterClientIps(array $clientIps, $ip)
19911991
if ($i) {
19921992
$clientIps[$key] = $clientIp = substr($clientIp, 0, $i);
19931993
}
1994-
} elseif ('[' == $clientIp[0]) {
1994+
} elseif (0 === strpos($clientIp, '[')) {
19951995
// Strip brackets and :port from IPv6 addresses.
19961996
$i = strpos($clientIp, ']', 1);
19971997
$clientIps[$key] = $clientIp = substr($clientIp, 1, $i - 1);

‎src/Symfony/Component/HttpFoundation/Tests/RequestTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
+3-3Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -868,7 +868,7 @@ public function getClientIpsForwardedProvider()
868868

869869
public function getClientIpsProvider()
870870
{
871-
// $expected $remoteAddr $httpForwardedFor $trustedProxies
871+
// $expected $remoteAddr $httpForwardedFor $trustedProxies
872872
return array(
873873
// simple IPv4
874874
array(array('88.88.88.88'), '88.88.88.88', null, null),
@@ -882,8 +882,8 @@ public function getClientIpsProvider()
882882

883883
// forwarded for with remote IPv4 addr not trusted
884884
array(array('127.0.0.1'), '127.0.0.1', '88.88.88.88', null),
885-
// forwarded for with remote IPv4 addr trusted
886-
array(array('88.88.88.88'), '127.0.0.1', '88.88.88.88', array('127.0.0.1')),
885+
// forwarded for with remote IPv4 addr trusted + comma
886+
array(array('88.88.88.88'), '127.0.0.1', '88.88.88.88,', array('127.0.0.1')),
887887
// forwarded for with remote IPv4 and all FF addrs trusted
888888
array(array('88.88.88.88'), '127.0.0.1', '88.88.88.88', array('127.0.0.1', '88.88.88.88')),
889889
// forwarded for with remote IPv4 range trusted

‎src/Symfony/Component/HttpKernel/HttpCache/SubRequestHandler.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/HttpCache/SubRequestHandler.php
+7-3Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@ public static function handle(HttpKernelInterface $kernel, Request $request, $ty
4343
if (!IpUtils::checkIp($remoteAddr, $trustedProxies)) {
4444
foreach (array_filter($trustedHeaders) as $name) {
4545
$request->headers->remove($name);
46+
$request->server->remove('HTTP_'.strtoupper(str_replace('-', '_', $name)));
4647
}
4748
}
4849

@@ -61,13 +62,16 @@ public static function handle(HttpKernelInterface $kernel, Request $request, $ty
6162
// set trusted values, reusing as much as possible the global trusted settings
6263
if ($name = $trustedHeaders[Request::HEADER_FORWARDED]) {
6364
$trustedValues[0] .= sprintf(';host="%s";proto=%s', $request->getHttpHost(), $request->getScheme());
64-
$request->headers->set($name, implode(', ', $trustedValues));
65+
$request->headers->set($name, $v = implode(', ', $trustedValues));
66+
$request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);
6567
}
6668
if ($name = $trustedHeaders[Request::HEADER_CLIENT_IP]) {
67-
$request->headers->set($name, implode(', ', $trustedIps));
69+
$request->headers->set($name, $v = implode(', ', $trustedIps));
70+
$request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);
6871
}
6972
if (!$name && !$trustedHeaders[Request::HEADER_FORWARDED]) {
70-
$request->headers->set('X-Forwarded-For', implode(', ', $trustedIps));
73+
$request->headers->set('X-Forwarded-For', $v = implode(', ', $trustedIps));
74+
$request->server->set('HTTP_X_FORWARDED_FOR', $v);
7175
Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, 'X_FORWARDED_FOR');
7276
}
7377

‎src/Symfony/Component/HttpKernel/Tests/Fragment/InlineFragmentRendererTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/Tests/Fragment/InlineFragmentRendererTest.php
+11Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,8 @@ public function testRenderWithObjectsAsAttributes()
6060
$subRequest->attributes->replace(array('object' => $object, '_format' => 'html', '_controller' => 'main_controller', '_locale' => 'en'));
6161
$subRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
6262
$subRequest->headers->set('forwarded', array('for="127.0.0.1";host="localhost";proto=http'));
63+
$subRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
64+
$subRequest->server->set('HTTP_FORWARDED', 'for="127.0.0.1";host="localhost";proto=http');
6365

6466
$strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest($subRequest));
6567

@@ -91,6 +93,7 @@ public function testRenderWithTrustedHeaderDisabled()
9193

9294
$expectedSubRequest = Request::create('/');
9395
$expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
96+
$expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
9497

9598
$strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest($expectedSubRequest));
9699
$this->assertSame('foo', $strategy->render('/', Request::create('/'))->getContent());
@@ -178,8 +181,10 @@ public function testESIHeaderIsKeptInSubrequest()
178181
$expectedSubRequest->headers->set('Surrogate-Capability', 'abc="ESI/1.0"');
179182
if (Request::getTrustedHeaderName(Request::HEADER_CLIENT_IP)) {
180183
$expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
184+
$expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
181185
}
182186
$expectedSubRequest->headers->set('forwarded', array('for="127.0.0.1";host="localhost";proto=http'));
187+
$expectedSubRequest->server->set('HTTP_FORWARDED', 'for="127.0.0.1";host="localhost";proto=http');
183188

184189
$strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest($expectedSubRequest));
185190

@@ -203,6 +208,8 @@ public function testHeadersPossiblyResultingIn304AreNotAssignedToSubrequest()
203208
$expectedSubRequest = Request::create('/');
204209
$expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
205210
$expectedSubRequest->headers->set('forwarded', array('for="127.0.0.1";host="localhost";proto=http'));
211+
$expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
212+
$expectedSubRequest->server->set('HTTP_FORWARDED', 'for="127.0.0.1";host="localhost";proto=http');
206213

207214
$strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest($expectedSubRequest));
208215
$request = Request::create('/', 'GET', array(), array(), array(), array('HTTP_IF_MODIFIED_SINCE' => 'Fri, 01 Jan 2016 00:00:00 GMT', 'HTTP_IF_NONE_MATCH' => '*'));
@@ -216,6 +223,8 @@ public function testFirstTrustedProxyIsSetAsRemote()
216223
$expectedSubRequest->server->set('REMOTE_ADDR', '127.0.0.1');
217224
$expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
218225
$expectedSubRequest->headers->set('forwarded', array('for="127.0.0.1";host="localhost";proto=http'));
226+
$expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
227+
$expectedSubRequest->server->set('HTTP_FORWARDED', 'for="127.0.0.1";host="localhost";proto=http');
219228

220229
Request::setTrustedProxies(array('1.1.1.1'));
221230

@@ -235,6 +244,8 @@ public function testIpAddressOfRangedTrustedProxyIsSetAsRemote()
235244
$expectedSubRequest->server->set('REMOTE_ADDR', '127.0.0.1');
236245
$expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
237246
$expectedSubRequest->headers->set('forwarded', array('for="127.0.0.1";host="localhost";proto=http'));
247+
$expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
248+
$expectedSubRequest->server->set('HTTP_FORWARDED', 'for="127.0.0.1";host="localhost";proto=http');
238249

239250
Request::setTrustedProxies(array('1.1.1.1/24'));
240251

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.