Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[HttpFundation][FrameworkBundle] Deprecate the HEADER_X_FORWARDED_ALL constant #38954

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 4, 2020
Merged

[HttpFundation][FrameworkBundle] Deprecate the HEADER_X_FORWARDED_ALL constant #38954

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions 1 UPGRADE-5.2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ HttpFoundation
--------------

* Deprecated not passing a `Closure` together with `FILTER_CALLBACK` to `ParameterBag::filter()`; wrap your filter in a closure instead.
* Deprecated the `Request::HEADER_X_FORWARDED_ALL` constant, use either `Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO` or `Request::HEADER_X_FORWARDED_AWS_ELB` or `Request::HEADER_X_FORWARDED_TRAEFIK`constants instead.

Lock
----
Expand Down
1 change: 1 addition & 0 deletions 1 UPGRADE-6.0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ HttpFoundation
`RedirectResponse::create()`, and `StreamedResponse::create()` methods (use
`__construct()` instead)
* Not passing a `Closure` together with `FILTER_CALLBACK` to `ParameterBag::filter()` throws an `InvalidArgumentException`; wrap your filter in a closure instead.
* Removed the `Request::HEADER_X_FORWARDED_ALL` constant, use either `Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO` or `Request::HEADER_X_FORWARDED_AWS_ELB` or `Request::HEADER_X_FORWARDED_TRAEFIK`constants instead.

HttpKernel
----------
Expand Down
2 changes: 1 addition & 1 deletion 2 src/Symfony/Bridge/Monolog/Tests/Processor/WebProcessorTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ public function testUsesRequestServerData()

public function testUseRequestClientIp()
{
Request::setTrustedProxies(['192.168.0.1'], Request::HEADER_X_FORWARDED_ALL);
Request::setTrustedProxies(['192.168.0.1'], Request::HEADER_X_FORWARDED_FOR);
[$event, $server] = $this->createRequestEvent(['X_FORWARDED_FOR' => '192.168.0.2']);

$processor = new WebProcessor();
Expand Down
3 changes: 1 addition & 2 deletions 3 src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,13 +92,12 @@ public function getConfigTreeBuilder()
->arrayNode('trusted_headers')
->fixXmlConfig('trusted_header')
->performNoDeepMerging()
->defaultValue(['x-forwarded-all', '!x-forwarded-host', '!x-forwarded-prefix'])
->defaultValue(['x-forwarded-for', 'x-forwarded-port', 'x-forwarded-proto'])
->beforeNormalization()->ifString()->then(function ($v) { return $v ? array_map('trim', explode(',', $v)) : []; })->end()
->enumPrototype()
->values([
'forwarded',
'x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port',
'x-forwarded-all', '!x-forwarded-host', '!x-forwarded-prefix',
])
->end()
->end()
Expand Down
7 changes: 0 additions & 7 deletions 7 src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2294,13 +2294,6 @@ private function resolveTrustedHeaders(array $headers): int
case 'x-forwarded-host': $trustedHeaders |= Request::HEADER_X_FORWARDED_HOST; break;
case 'x-forwarded-proto': $trustedHeaders |= Request::HEADER_X_FORWARDED_PROTO; break;
case 'x-forwarded-port': $trustedHeaders |= Request::HEADER_X_FORWARDED_PORT; break;
case '!x-forwarded-host': $trustedHeaders &= ~Request::HEADER_X_FORWARDED_HOST; break;
case 'x-forwarded-all':
if (!\in_array('!x-forwarded-prefix', $headers)) {
throw new LogicException('When using "x-forwarded-all" in "framework.trusted_headers", "!x-forwarded-prefix" must be explicitly listed until support for X-Forwarded-Prefix is implemented.');
}
$trustedHeaders |= Request::HEADER_X_FORWARDED_ALL;
break;
}
}

Expand Down
6 changes: 3 additions & 3 deletions 6 src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -341,9 +341,9 @@ protected static function getBundleDefaultConfig()
'secret' => 's3cr3t',
'trusted_hosts' => [],
'trusted_headers' => [
'x-forwarded-all',
'!x-forwarded-host',
jderusse marked this conversation as resolved.
Show resolved Hide resolved
'!x-forwarded-prefix',
'x-forwarded-for',
'x-forwarded-port',
'x-forwarded-proto',
],
'csrf_protection' => [
'enabled' => false,
Expand Down
2 changes: 2 additions & 0 deletions 2 src/Symfony/Component/HttpFoundation/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ CHANGELOG
* added `Request::toArray()` to parse a JSON request body to an array
* added `RateLimiter\RequestRateLimiterInterface` and `RateLimiter\AbstractRequestRateLimiter`
* deprecated not passing a `Closure` together with `FILTER_CALLBACK` to `ParameterBag::filter()`; wrap your filter in a closure instead.
* Deprecated the `Request::HEADER_X_FORWARDED_ALL` constant, use either `HEADER_X_FORWARDED_FOR | HEADER_X_FORWARDED_HOST | HEADER_X_FORWARDED_PORT | HEADER_X_FORWARDED_PROTO` or `HEADER_X_FORWARDED_AWS_ELB` or `HEADER_X_FORWARDED_TRAEFIK` constants instead.


5.1.0
-----
Expand Down
10 changes: 7 additions & 3 deletions 10 src/Symfony/Component/HttpFoundation/Request.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,9 +47,10 @@ class Request
const HEADER_X_FORWARDED_PORT = 0b010000;
const HEADER_X_FORWARDED_PREFIX = 0b100000;

const HEADER_X_FORWARDED_ALL = 0b011110; // All "X-Forwarded-*" headers sent by "usual" reverse proxy
const HEADER_X_FORWARDED_AWS_ELB = 0b011010; // AWS ELB doesn't send X-Forwarded-Host
const HEADER_X_FORWARDED_TRAEFIK = 0b111110; // All "X-Forwarded-*" headers sent by Traefik reverse proxy
/** @deprecated since Symfony 5.2, use either "HEADER_X_FORWARDED_FOR | HEADER_X_FORWARDED_HOST | HEADER_X_FORWARDED_PORT | HEADER_X_FORWARDED_PROTO" or "HEADER_X_FORWARDED_AWS_ELB" or "HEADER_X_FORWARDED_TRAEFIK" constants instead. */
const HEADER_X_FORWARDED_ALL = 0b1011110; // All "X-Forwarded-*" headers sent by "usual" reverse proxy
const HEADER_X_FORWARDED_AWS_ELB = 0b0011010; // AWS ELB doesn't send X-Forwarded-Host
const HEADER_X_FORWARDED_TRAEFIK = 0b0111110; // All "X-Forwarded-*" headers sent by Traefik reverse proxy

const METHOD_HEAD = 'HEAD';
const METHOD_GET = 'GET';
Expand Down Expand Up @@ -593,6 +594,9 @@ public function overrideGlobals()
*/
public static function setTrustedProxies(array $proxies, int $trustedHeaderSet)
{
if (self::HEADER_X_FORWARDED_ALL === $trustedHeaderSet) {
trigger_deprecation('symfony/http-fundation', '5.2', 'The "HEADER_X_FORWARDED_ALL" constant is deprecated, use either "HEADER_X_FORWARDED_FOR | HEADER_X_FORWARDED_HOST | HEADER_X_FORWARDED_PORT | HEADER_X_FORWARDED_PROTO" or "HEADER_X_FORWARDED_AWS_ELB" or "HEADER_X_FORWARDED_TRAEFIK" constants instead.');
}
self::$trustedProxies = array_reduce($proxies, function ($proxies, $proxy) {
if ('REMOTE_ADDR' !== $proxy) {
$proxies[] = $proxy;
Expand Down
42 changes: 31 additions & 11 deletions 42 src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
namespace Symfony\Component\HttpFoundation\Tests;

use PHPUnit\Framework\TestCase;
use Symfony\Bridge\PhpUnit\ExpectDeprecationTrait;
use Symfony\Component\HttpFoundation\Exception\JsonException;
use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
use Symfony\Component\HttpFoundation\InputBag;
Expand All @@ -22,6 +23,8 @@

class RequestTest extends TestCase
{
use ExpectDeprecationTrait;

protected function tearDown(): void
{
Request::setTrustedProxies([], -1);
Expand Down Expand Up @@ -867,7 +870,7 @@ public function testGetPort()

$this->assertEquals(80, $port, 'Without trusted proxies FORWARDED_PROTO and FORWARDED_PORT are ignored.');

Request::setTrustedProxies(['1.1.1.1'], Request::HEADER_X_FORWARDED_ALL);
Request::setTrustedProxies(['1.1.1.1'], Request::HEADER_X_FORWARDED_PROTO | Request::HEADER_X_FORWARDED_PORT);
$request = Request::create('http://example.com', 'GET', [], [], [], [
'HTTP_X_FORWARDED_PROTO' => 'https',
'HTTP_X_FORWARDED_PORT' => '8443',
Expand Down Expand Up @@ -1091,7 +1094,7 @@ public function testGetClientIpsWithConflictingHeaders($httpForwarded, $httpXFor
'HTTP_X_FORWARDED_FOR' => $httpXForwardedFor,
];

Request::setTrustedProxies(['88.88.88.88'], Request::HEADER_X_FORWARDED_ALL | Request::HEADER_FORWARDED);
Request::setTrustedProxies(['88.88.88.88'], Request::HEADER_X_FORWARDED_FOR | Request::HEADER_FORWARDED);

$request->initialize([], [], [], [], [], $server);

Expand Down Expand Up @@ -1349,7 +1352,7 @@ public function testOverrideGlobals()

$request->headers->set('X_FORWARDED_PROTO', 'https');

Request::setTrustedProxies(['1.1.1.1'], Request::HEADER_X_FORWARDED_ALL);
Request::setTrustedProxies(['1.1.1.1'], Request::HEADER_X_FORWARDED_PROTO);
$this->assertFalse($request->isSecure());
$request->server->set('REMOTE_ADDR', '1.1.1.1');
$this->assertTrue($request->isSecure());
Expand Down Expand Up @@ -1830,7 +1833,7 @@ private function getRequestInstanceForClientIpTests(string $remoteAddr, ?string
}

if ($trustedProxies) {
Request::setTrustedProxies($trustedProxies, Request::HEADER_X_FORWARDED_ALL);
Request::setTrustedProxies($trustedProxies, Request::HEADER_X_FORWARDED_FOR);
}

$request->initialize([], [], [], [], [], $server);
Expand Down Expand Up @@ -1873,35 +1876,35 @@ public function testTrustedProxiesXForwardedFor()
$this->assertFalse($request->isSecure());

// disabling proxy trusting
Request::setTrustedProxies([], Request::HEADER_X_FORWARDED_ALL);
Request::setTrustedProxies([], Request::HEADER_X_FORWARDED_FOR);
$this->assertEquals('3.3.3.3', $request->getClientIp());
$this->assertEquals('example.com', $request->getHost());
$this->assertEquals(80, $request->getPort());
$this->assertFalse($request->isSecure());

// request is forwarded by a non-trusted proxy
Request::setTrustedProxies(['2.2.2.2'], Request::HEADER_X_FORWARDED_ALL);
Request::setTrustedProxies(['2.2.2.2'], Request::HEADER_X_FORWARDED_FOR);
$this->assertEquals('3.3.3.3', $request->getClientIp());
$this->assertEquals('example.com', $request->getHost());
$this->assertEquals(80, $request->getPort());
$this->assertFalse($request->isSecure());

// trusted proxy via setTrustedProxies()
Request::setTrustedProxies(['3.3.3.3', '2.2.2.2'], Request::HEADER_X_FORWARDED_ALL);
Request::setTrustedProxies(['3.3.3.3', '2.2.2.2'], Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO);
$this->assertEquals('1.1.1.1', $request->getClientIp());
$this->assertEquals('foo.example.com', $request->getHost());
$this->assertEquals(443, $request->getPort());
$this->assertTrue($request->isSecure());

// trusted proxy via setTrustedProxies()
Request::setTrustedProxies(['3.3.3.4', '2.2.2.2'], Request::HEADER_X_FORWARDED_ALL);
Request::setTrustedProxies(['3.3.3.4', '2.2.2.2'], Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO);
$this->assertEquals('3.3.3.3', $request->getClientIp());
$this->assertEquals('example.com', $request->getHost());
$this->assertEquals(80, $request->getPort());
$this->assertFalse($request->isSecure());

// check various X_FORWARDED_PROTO header values
Request::setTrustedProxies(['3.3.3.3', '2.2.2.2'], Request::HEADER_X_FORWARDED_ALL);
Request::setTrustedProxies(['3.3.3.3', '2.2.2.2'], Request::HEADER_X_FORWARDED_PROTO);
$request->headers->set('X_FORWARDED_PROTO', 'ssl');
$this->assertTrue($request->isSecure());

Expand Down Expand Up @@ -2377,7 +2380,7 @@ public function testTrustedPort()

public function testTrustedPortDoesNotDefaultToZero()
{
Request::setTrustedProxies(['1.1.1.1'], Request::HEADER_X_FORWARDED_ALL);
Request::setTrustedProxies(['1.1.1.1'], Request::HEADER_X_FORWARDED_FOR);

$request = Request::create('/');
$request->server->set('REMOTE_ADDR', '1.1.1.1');
Expand All @@ -2393,7 +2396,7 @@ public function testTrustedPortDoesNotDefaultToZero()
public function testTrustedProxiesRemoteAddr($serverRemoteAddr, $trustedProxies, $result)
{
$_SERVER['REMOTE_ADDR'] = $serverRemoteAddr;
Request::setTrustedProxies($trustedProxies, Request::HEADER_X_FORWARDED_ALL);
Request::setTrustedProxies($trustedProxies, Request::HEADER_X_FORWARDED_FOR);
$this->assertSame($result, Request::getTrustedProxies());
}

Expand Down Expand Up @@ -2464,6 +2467,23 @@ public function preferSafeContentData()
],
];
}

/**
* @group legacy
*/
public function testXForwarededAllConstantDeprecated()
{
$this->expectDeprecation('Since symfony/http-fundation 5.2: The "HEADER_X_FORWARDED_ALL" constant is deprecated, use either "HEADER_X_FORWARDED_FOR | HEADER_X_FORWARDED_HOST | HEADER_X_FORWARDED_PORT | HEADER_X_FORWARDED_PROTO" or "HEADER_X_FORWARDED_AWS_ELB" or "HEADER_X_FORWARDED_TRAEFIK" constants instead.');

Request::setTrustedProxies([], Request::HEADER_X_FORWARDED_ALL);
}

public function testReservedFlags()
{
foreach ((new \ReflectionClass(Request::class))->getConstants() as $constant => $value) {
$this->assertNotSame(0b10000000, $value, sprintf('The constant "%s" should not use the reserved value "0b10000000".', $constant));
}
}
}

class RequestContentProxy extends Request
Expand Down
2 changes: 1 addition & 1 deletion 2 src/Symfony/Component/HttpKernel/Tests/HttpCache/HttpCacheTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1361,7 +1361,7 @@ public function testClientIpIsAlwaysLocalhostForForwardedRequests()
*/
public function testHttpCacheIsSetAsATrustedProxy(array $existing)
{
Request::setTrustedProxies($existing, Request::HEADER_X_FORWARDED_ALL);
Request::setTrustedProxies($existing, Request::HEADER_X_FORWARDED_FOR);

$this->setNextResponse();
$this->request('GET', '/', ['REMOTE_ADDR' => '10.0.0.1']);
Expand Down
Morty Proxy This is a proxified and sanitized view of the page, visit original site.