Merge branch '2.8' into 3.4

nicolas-grekas · nicolas-grekas · commit 96e0833b9323 · 2018-08-24T16:37:40.000+02:00
* 2.8:
  [HttpKernel] fix forwarding trusted headers as server parameters
diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
@@ -2134,7 +2134,7 @@ private function normalizeAndFilterClientIps(array $clientIps, $ip)
                 if ($i) {
                     $clientIps[$key] = $clientIp = substr($clientIp, 0, $i);
                 }
-            } elseif ('[' == $clientIp[0]) {
+            } elseif (0 === strpos($clientIp, '[')) {
                 // Strip brackets and :port from IPv6 addresses.
                 $i = strpos($clientIp, ']', 1);
                 $clientIps[$key] = $clientIp = substr($clientIp, 1, $i - 1);
diff --git a/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php b/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
@@ -900,7 +900,7 @@ public function getClientIpsForwardedProvider()
 
     public function getClientIpsProvider()
     {
-        //        $expected                   $remoteAddr                $httpForwardedFor            $trustedProxies
+        //        $expected                          $remoteAddr                 $httpForwardedFor            $trustedProxies
         return array(
             // simple IPv4
             array(array('88.88.88.88'),              '88.88.88.88',              null,                        null),
@@ -914,8 +914,8 @@ public function getClientIpsProvider()
 
             // forwarded for with remote IPv4 addr not trusted
             array(array('127.0.0.1'),                '127.0.0.1',                '88.88.88.88',               null),
-            // forwarded for with remote IPv4 addr trusted
-            array(array('88.88.88.88'),              '127.0.0.1',                '88.88.88.88',               array('127.0.0.1')),
+            // forwarded for with remote IPv4 addr trusted + comma
+            array(array('88.88.88.88'),              '127.0.0.1',                '88.88.88.88,',              array('127.0.0.1')),
             // forwarded for with remote IPv4 and all FF addrs trusted
             array(array('88.88.88.88'),              '127.0.0.1',                '88.88.88.88',               array('127.0.0.1', '88.88.88.88')),
             // forwarded for with remote IPv4 range trusted
diff --git a/src/Symfony/Component/HttpKernel/HttpCache/SubRequestHandler.php b/src/Symfony/Component/HttpKernel/HttpCache/SubRequestHandler.php
@@ -57,6 +57,7 @@ public static function handle(HttpKernelInterface $kernel, Request $request, $ty
             foreach ($trustedHeaders as $key => $name) {
                 if ($trustedHeaderSet & $key) {
                     $request->headers->remove($name);
+                    $request->server->remove('HTTP_'.strtoupper(str_replace('-', '_', $name)));
                 }
             }
         }
@@ -76,13 +77,16 @@ public static function handle(HttpKernelInterface $kernel, Request $request, $ty
         // set trusted values, reusing as much as possible the global trusted settings
         if (Request::HEADER_FORWARDED & $trustedHeaderSet) {
             $trustedValues[0] .= sprintf(';host="%s";proto=%s', $request->getHttpHost(), $request->getScheme());
-            $request->headers->set($trustedHeaders[Request::HEADER_FORWARDED], implode(', ', $trustedValues));
+            $request->headers->set($name = $trustedHeaders[Request::HEADER_FORWARDED], $v = implode(', ', $trustedValues));
+            $request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);
         }
         if (Request::HEADER_X_FORWARDED_FOR & $trustedHeaderSet) {
-            $request->headers->set($trustedHeaders[Request::HEADER_X_FORWARDED_FOR], implode(', ', $trustedIps));
+            $request->headers->set($name = $trustedHeaders[Request::HEADER_X_FORWARDED_FOR], $v = implode(', ', $trustedIps));
+            $request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);
         } elseif (!(Request::HEADER_FORWARDED & $trustedHeaderSet)) {
             Request::setTrustedProxies($trustedProxies, $trustedHeaderSet | Request::HEADER_X_FORWARDED_FOR);
-            $request->headers->set($trustedHeaders[Request::HEADER_X_FORWARDED_FOR], implode(', ', $trustedIps));
+            $request->headers->set($name = $trustedHeaders[Request::HEADER_X_FORWARDED_FOR], $v = implode(', ', $trustedIps));
+            $request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);
         }
 
         // fix the client IP address by setting it to 127.0.0.1,
diff --git a/src/Symfony/Component/HttpKernel/Tests/Fragment/InlineFragmentRendererTest.php b/src/Symfony/Component/HttpKernel/Tests/Fragment/InlineFragmentRendererTest.php
@@ -47,6 +47,8 @@ public function testRenderWithObjectsAsAttributes()
         $subRequest->attributes->replace(array('object' => $object, '_format' => 'html', '_controller' => 'main_controller', '_locale' => 'en'));
         $subRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
         $subRequest->headers->set('forwarded', array('for="127.0.0.1";host="localhost";proto=http'));
+        $subRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
+        $subRequest->server->set('HTTP_FORWARDED', 'for="127.0.0.1";host="localhost";proto=http');
 
         $strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest($subRequest));
 
@@ -101,6 +103,7 @@ public function testRenderWithTrustedHeaderDisabled()
 
         $expectedSubRequest = Request::create('/');
         $expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
+        $expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
 
         $strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest($expectedSubRequest));
         $this->assertSame('foo', $strategy->render('/', Request::create('/'))->getContent());
@@ -193,8 +196,10 @@ public function testESIHeaderIsKeptInSubrequest()
 
         if (Request::HEADER_X_FORWARDED_FOR & Request::getTrustedHeaderSet()) {
             $expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
+            $expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
         }
         $expectedSubRequest->headers->set('forwarded', array('for="127.0.0.1";host="localhost";proto=http'));
+        $expectedSubRequest->server->set('HTTP_FORWARDED', 'for="127.0.0.1";host="localhost";proto=http');
 
         $strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest($expectedSubRequest));
 
@@ -217,6 +222,8 @@ public function testHeadersPossiblyResultingIn304AreNotAssignedToSubrequest()
         $expectedSubRequest = Request::create('/');
         $expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
         $expectedSubRequest->headers->set('forwarded', array('for="127.0.0.1";host="localhost";proto=http'));
+        $expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
+        $expectedSubRequest->server->set('HTTP_FORWARDED', 'for="127.0.0.1";host="localhost";proto=http');
 
         $strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest($expectedSubRequest));
         $request = Request::create('/', 'GET', array(), array(), array(), array('HTTP_IF_MODIFIED_SINCE' => 'Fri, 01 Jan 2016 00:00:00 GMT', 'HTTP_IF_NONE_MATCH' => '*'));
@@ -232,6 +239,8 @@ public function testFirstTrustedProxyIsSetAsRemote()
         $expectedSubRequest->server->set('REMOTE_ADDR', '127.0.0.1');
         $expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
         $expectedSubRequest->headers->set('forwarded', array('for="127.0.0.1";host="localhost";proto=http'));
+        $expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
+        $expectedSubRequest->server->set('HTTP_FORWARDED', 'for="127.0.0.1";host="localhost";proto=http');
 
         $strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest($expectedSubRequest));
 
@@ -249,6 +258,8 @@ public function testIpAddressOfRangedTrustedProxyIsSetAsRemote()
         $expectedSubRequest->server->set('REMOTE_ADDR', '127.0.0.1');
         $expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
         $expectedSubRequest->headers->set('forwarded', array('for="127.0.0.1";host="localhost";proto=http'));
+        $expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
+        $expectedSubRequest->server->set('HTTP_FORWARDED', 'for="127.0.0.1";host="localhost";proto=http');
 
         Request::setTrustedProxies(array('1.1.1.1/24'), -1);
 

Original file line number	Diff line number	Diff line change
`@@ -2134,7 +2134,7 @@ private function normalizeAndFilterClientIps(array $clientIps, $ip)`
`2134`	`2134`	`if ($i) {`
`2135`	`2135`	`$clientIps[$key] = $clientIp = substr($clientIp, 0, $i);`
`2136`	`2136`	`}`
`2137`		`- } elseif ('[' == $clientIp[0]) {`
	`2137`	`+ } elseif (0 === strpos($clientIp, '[')) {`
`2138`	`2138`	`// Strip brackets and :port from IPv6 addresses.`
`2139`	`2139`	`$i = strpos($clientIp, ']', 1);`
`2140`	`2140`	`$clientIps[$key] = $clientIp = substr($clientIp, 1, $i - 1);`
Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,7 @@ public static function handle(HttpKernelInterface $kernel, Request $request, $ty`
`57`	`57`	`foreach ($trustedHeaders as $key => $name) {`
`58`	`58`	`if ($trustedHeaderSet & $key) {`
`59`	`59`	`$request->headers->remove($name);`
	`60`	`+ $request->server->remove('HTTP_'.strtoupper(str_replace('-', '_', $name)));`
`60`	`61`	`}`
`61`	`62`	`}`
`62`	`63`	`}`
`@@ -76,13 +77,16 @@ public static function handle(HttpKernelInterface $kernel, Request $request, $ty`
`76`	`77`	`// set trusted values, reusing as much as possible the global trusted settings`
`77`	`78`	`if (Request::HEADER_FORWARDED & $trustedHeaderSet) {`
`78`	`79`	`$trustedValues[0] .= sprintf(';host="%s";proto=%s', $request->getHttpHost(), $request->getScheme());`
`79`		`- $request->headers->set($trustedHeaders[Request::HEADER_FORWARDED], implode(', ', $trustedValues));`
	`80`	`+ $request->headers->set($name = $trustedHeaders[Request::HEADER_FORWARDED], $v = implode(', ', $trustedValues));`
	`81`	`+ $request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);`
`80`	`82`	`}`
`81`	`83`	`if (Request::HEADER_X_FORWARDED_FOR & $trustedHeaderSet) {`
`82`		`- $request->headers->set($trustedHeaders[Request::HEADER_X_FORWARDED_FOR], implode(', ', $trustedIps));`
	`84`	`+ $request->headers->set($name = $trustedHeaders[Request::HEADER_X_FORWARDED_FOR], $v = implode(', ', $trustedIps));`
	`85`	`+ $request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);`
`83`	`86`	`} elseif (!(Request::HEADER_FORWARDED & $trustedHeaderSet)) {`
`84`	`87`	`Request::setTrustedProxies($trustedProxies, $trustedHeaderSet \| Request::HEADER_X_FORWARDED_FOR);`
`85`		`- $request->headers->set($trustedHeaders[Request::HEADER_X_FORWARDED_FOR], implode(', ', $trustedIps));`
	`88`	`+ $request->headers->set($name = $trustedHeaders[Request::HEADER_X_FORWARDED_FOR], $v = implode(', ', $trustedIps));`
	`89`	`+ $request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);`
`86`	`90`	`}`
`87`	`91`
`88`	`92`	`// fix the client IP address by setting it to 127.0.0.1,`