[FrameworkBundle] allow configuring trusted proxies using semantic configuration

nicolas-grekas · nicolas-grekas · commit f7dbc35bf32b · 2020-06-20T15:06:05.000+02:00
diff --git a/src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md b/src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md
@@ -5,6 +5,7 @@ CHANGELOG
 -----
 
  * Added `framework.http_cache` configuration tree
+ * Added `framework.trusted_proxies` and `framework.trusted_headers` configuration options
 
 5.1.0
 -----
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -85,6 +85,19 @@ public function getConfigTreeBuilder()
                     ->beforeNormalization()->ifString()->then(function ($v) { return [$v]; })->end()
                     ->prototype('scalar')->end()
                 ->end()
+                ->scalarNode('trusted_proxies')->end()
+                ->arrayNode('trusted_headers')
+                    ->fixXmlConfig('trusted_header')
+                    ->defaultValue(['x-forwarded-all', '!x-forwarded-host', '!x-forwarded-prefix'])
+                    ->beforeNormalization()->ifString()->then(function ($v) { return $v ? array_map('trim', explode(',', $v)) : []; })->end()
+                    ->enumPrototype()
+                        ->values([
+                            'forwarded',
+                            'x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port',
+                            'x-forwarded-all', '!x-forwarded-host', '!x-forwarded-prefix',
+                        ])
+                    ->end()
+                ->end()
                 ->scalarNode('error_controller')
                     ->defaultValue('error_controller')
                 ->end()
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
@@ -65,6 +65,7 @@
 use Symfony\Component\Form\FormTypeGuesserInterface;
 use Symfony\Component\Form\FormTypeInterface;
 use Symfony\Component\HttpClient\ScopingHttpClient;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\CacheClearer\CacheClearerInterface;
 use Symfony\Component\HttpKernel\CacheWarmer\CacheWarmerInterface;
 use Symfony\Component\HttpKernel\Controller\ArgumentValueResolverInterface;
@@ -241,6 +242,11 @@ public function load(array $configs, ContainerBuilder $container)
         $container->setParameter('kernel.default_locale', $config['default_locale']);
         $container->setParameter('kernel.error_controller', $config['error_controller']);
 
+        if (isset($config['trusted_proxies'], $config['trusted_headers'])) {
+            $container->setParameter('kernel.trusted_proxies', $config['trusted_proxies']);
+            $container->setParameter('kernel.trusted_headers', $this->resolveTrustedHeaders($config['trusted_headers']));
+        }
+
         if (!$container->hasParameter('debug.file_link_format')) {
             $links = [
                 'textmate' => 'txmt://open?url=file://%%f&line=%%l',
@@ -2096,6 +2102,30 @@ private function registerNotifierConfiguration(array $config, ContainerBuilder $
         }
     }
 
+    private function resolveTrustedHeaders(array $headers): int
+    {
+        $trustedHeaders = 0;
+
+        foreach ($headers as $h) {
+            switch ($h) {
+                case 'forwarded': $trustedHeaders |= Request::HEADER_FORWARDED; break;
+                case 'x-forwarded-for': $trustedHeaders |= Request::HEADER_X_FORWARDED_FOR; break;
+                case 'x-forwarded-host': $trustedHeaders |= Request::HEADER_X_FORWARDED_HOST; break;
+                case 'x-forwarded-proto': $trustedHeaders |= Request::HEADER_X_FORWARDED_PROTO; break;
+                case 'x-forwarded-port': $trustedHeaders |= Request::HEADER_X_FORWARDED_PORT; break;
+                case '!x-forwarded-host': $trustedHeaders &= ~Request::HEADER_X_FORWARDED_HOST; break;
+                case 'x-forwarded-all':
+                    if (!\in_array('!x-forwarded-prefix', $headers)) {
+                        throw new LogicException('When using "x-forwarded-all" in "framework.trusted_headers", "!x-forwarded-prefix" must be explicitly listed until support for X-Forwarded-Prefix is implemented.');
+                    }
+                    $trustedHeaders |= Request::HEADER_X_FORWARDED_ALL;
+                    break;
+            }
+        }
+
+        return $trustedHeaders;
+    }
+
     /**
      * {@inheritdoc}
      */
diff --git a/src/Symfony/Bundle/FrameworkBundle/FrameworkBundle.php b/src/Symfony/Bundle/FrameworkBundle/FrameworkBundle.php
@@ -95,10 +95,6 @@ public function boot()
         if ($this->container->getParameter('kernel.http_method_override')) {
             Request::enableHttpMethodParameterOverride();
         }
-
-        if ($trustedHosts = $this->container->getParameter('kernel.trusted_hosts')) {
-            Request::setTrustedHosts($trustedHosts);
-        }
     }
 
     public function build(ContainerBuilder $container)
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd b/src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd
@@ -42,6 +42,9 @@
         <xsd:attribute name="default-locale" type="xsd:string" />
         <xsd:attribute name="test" type="xsd:boolean" />
         <xsd:attribute name="error-controller" type="xsd:string" />
+        <xsd:attribute name="trusted_hosts" type="xsd:string" />
+        <xsd:attribute name="trusted_proxies" type="xsd:string" />
+        <xsd:attribute name="trusted_headers" type="xsd:string" />
     </xsd:complexType>
 
     <xsd:complexType name="form">
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php
@@ -341,6 +341,11 @@ protected static function getBundleDefaultConfig()
             'http_method_override' => true,
             'ide' => null,
             'default_locale' => 'en',
+            'trusted_headers' => [
+                'x-forwarded-all',
+                '!x-forwarded-host',
+                '!x-forwarded-prefix',
+            ],
             'csrf_protection' => [
                 'enabled' => false,
             ],
diff --git a/src/Symfony/Component/HttpKernel/CHANGELOG.md b/src/Symfony/Component/HttpKernel/CHANGELOG.md
@@ -5,6 +5,8 @@ CHANGELOG
 -----
 
  * made the public `http_cache` service handle requests when available
+ * allowed enabling trusted hosts and proxies using new `kernel.trusted_hosts`,
+   `kernel.trusted_proxies` and `kernel.trusted_headers` parameters
 
 5.1.0
 -----
diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php
@@ -764,7 +764,17 @@ private function preBoot(): ContainerInterface
         $this->initializeBundles();
         $this->initializeContainer();
 
-        return $this->container;
+        $container = $this->container;
+
+        if ($container->hasParameter('kernel.trusted_hosts') && $trustedHosts = $container->getParameter('kernel.trusted_hosts')) {
+            Request::setTrustedHosts($trustedHosts);
+        }
+
+        if ($container->hasParameter('kernel.trusted_proxies') && $container->hasParameter('kernel.trusted_headers') && $trustedProxies = $container->getParameter('kernel.trusted_proxies')) {
+            Request::setTrustedProxies(explode(',', $trustedProxies), $container->getParameter('kernel.trusted_headers'));
+        }
+
+        return $container;
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -95,10 +95,6 @@ public function boot()`
`95`	`95`	`if ($this->container->getParameter('kernel.http_method_override')) {`
`96`	`96`	`Request::enableHttpMethodParameterOverride();`
`97`	`97`	`}`
`98`		`-`
`99`		`- if ($trustedHosts = $this->container->getParameter('kernel.trusted_hosts')) {`
`100`		`- Request::setTrustedHosts($trustedHosts);`
`101`		`- }`
`102`	`98`	`}`
`103`	`99`
`104`	`100`	`public function build(ContainerBuilder $container)`