[HttpFoundation] added a check for the host header value
This commit is contained in:
parent
fc89d6b643
commit
048979993e
@ -696,6 +696,8 @@ class Request
|
|||||||
*
|
*
|
||||||
* @return string
|
* @return string
|
||||||
*
|
*
|
||||||
|
* @throws \UnexpectedValueException when the host name is invalid
|
||||||
|
*
|
||||||
* @api
|
* @api
|
||||||
*/
|
*/
|
||||||
public function getHost()
|
public function getHost()
|
||||||
@ -703,19 +705,23 @@ class Request
|
|||||||
if (self::$trustProxy && $host = $this->headers->get('X_FORWARDED_HOST')) {
|
if (self::$trustProxy && $host = $this->headers->get('X_FORWARDED_HOST')) {
|
||||||
$elements = explode(',', $host);
|
$elements = explode(',', $host);
|
||||||
|
|
||||||
$host = trim($elements[count($elements) - 1]);
|
$host = $elements[count($elements) - 1];
|
||||||
} else {
|
} elseif (!$host = $this->headers->get('HOST')) {
|
||||||
if (!$host = $this->headers->get('HOST')) {
|
if (!$host = $this->server->get('SERVER_NAME')) {
|
||||||
if (!$host = $this->server->get('SERVER_NAME')) {
|
$host = $this->server->get('SERVER_ADDR', '');
|
||||||
$host = $this->server->get('SERVER_ADDR', '');
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Remove port number from host
|
// Trim and remove port number from host
|
||||||
$host = preg_replace('/:\d+$/', '', $host);
|
$host = trim(preg_replace('/:\d+$/', '', $host));
|
||||||
|
|
||||||
return trim($host);
|
// as the host can come from the user (HTTP_HOST and depending on the configuration, SERVER_NAME too can come from the user)
|
||||||
|
// check that it does not contain forbidden characters (see RFC 952 and RFC 2181)
|
||||||
|
if ($host && !preg_match('/^\[?(?:[a-zA-Z0-9-:\]_]+\.?)+$/', $host)) {
|
||||||
|
throw new \UnexpectedValueException('Invalid Host');
|
||||||
|
}
|
||||||
|
|
||||||
|
return $host;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -417,9 +417,6 @@ class RequestTest extends \PHPUnit_Framework_TestCase
|
|||||||
$this->assertEquals('foo=1&foo=2', $request->getQueryString(), '->getQueryString() allows repeated parameters');
|
$this->assertEquals('foo=1&foo=2', $request->getQueryString(), '->getQueryString() allows repeated parameters');
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* @covers Symfony\Component\HttpFoundation\Request::getHost
|
|
||||||
*/
|
|
||||||
public function testGetHost()
|
public function testGetHost()
|
||||||
{
|
{
|
||||||
$request = new Request();
|
$request = new Request();
|
||||||
@ -458,6 +455,17 @@ class RequestTest extends \PHPUnit_Framework_TestCase
|
|||||||
|
|
||||||
$request->initialize(array(), array(), array(), array(), array(), array('SERVER_NAME' => 'www.exemple.com', 'HTTP_HOST' => 'www.host.com'));
|
$request->initialize(array(), array(), array(), array(), array(), array('SERVER_NAME' => 'www.exemple.com', 'HTTP_HOST' => 'www.host.com'));
|
||||||
$this->assertEquals('www.host.com', $request->getHost(), '->getHost() value from Host header has priority over SERVER_NAME ');
|
$this->assertEquals('www.host.com', $request->getHost(), '->getHost() value from Host header has priority over SERVER_NAME ');
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @expectedException RuntimeException
|
||||||
|
*/
|
||||||
|
public function testGetHostWithFakeHttpHostValue()
|
||||||
|
{
|
||||||
|
$request = new Request();
|
||||||
|
$request->initialize(array(), array(), array(), array(), array(), array('HTTP_HOST' => 'www.host.com?query=string'));
|
||||||
|
$request->getHost();
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
Reference in New Issue
Block a user