diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[HttpFoundation] added a check for the host header value

Browse Source
This commit is contained in:
Fabien Potencier 2012-12-06 13:50:59 +01:00
parent fc89d6b643
commit 048979993e
2 changed files with 26 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/Symfony/Component/HttpFoundation/Request.php
View File

@ -696,6 +696,8 @@ class Request
* *
* @return string * @return string
* *
* @throws \UnexpectedValueException when the host name is invalid
*
* @api * @api
*/ */
public function getHost() public function getHost()
@ -703,19 +705,23 @@ class Request
if (self::$trustProxy && $host = $this->headers->get('X_FORWARDED_HOST')) { if (self::$trustProxy && $host = $this->headers->get('X_FORWARDED_HOST')) {
$elements = explode(',', $host); $elements = explode(',', $host);
$host = trim($elements[count($elements) - 1]); $host = $elements[count($elements) - 1];
} else { } elseif (!$host = $this->headers->get('HOST')) {
if (!$host = $this->headers->get('HOST')) { if (!$host = $this->server->get('SERVER_NAME')) {
if (!$host = $this->server->get('SERVER_NAME')) { $host = $this->server->get('SERVER_ADDR', '');
$host = $this->server->get('SERVER_ADDR', '');
}
} }
} }
// Remove port number from host // Trim and remove port number from host
$host = preg_replace('/:\d+$/', '', $host); $host = trim(preg_replace('/:\d+$/', '', $host));
return trim($host); // as the host can come from the user (HTTP_HOST and depending on the configuration, SERVER_NAME too can come from the user)
// check that it does not contain forbidden characters (see RFC 952 and RFC 2181)
if ($host && !preg_match('/^\[?(?:[a-zA-Z0-9-:\]_]+\.?)+$/', $host)) {
throw new \UnexpectedValueException('Invalid Host');
}
return $host;
} }
/** /**

14
tests/Symfony/Tests/Component/HttpFoundation/RequestTest.php
View File

@ -417,9 +417,6 @@ class RequestTest extends \PHPUnit_Framework_TestCase
$this->assertEquals('foo=1&foo=2', $request->getQueryString(), '->getQueryString() allows repeated parameters'); $this->assertEquals('foo=1&foo=2', $request->getQueryString(), '->getQueryString() allows repeated parameters');
} }
/**
* @covers Symfony\Component\HttpFoundation\Request::getHost
*/
public function testGetHost() public function testGetHost()
{ {
$request = new Request(); $request = new Request();
@ -458,6 +455,17 @@ class RequestTest extends \PHPUnit_Framework_TestCase
$request->initialize(array(), array(), array(), array(), array(), array('SERVER_NAME' => 'www.exemple.com', 'HTTP_HOST' => 'www.host.com')); $request->initialize(array(), array(), array(), array(), array(), array('SERVER_NAME' => 'www.exemple.com', 'HTTP_HOST' => 'www.host.com'));
$this->assertEquals('www.host.com', $request->getHost(), '->getHost() value from Host header has priority over SERVER_NAME '); $this->assertEquals('www.host.com', $request->getHost(), '->getHost() value from Host header has priority over SERVER_NAME ');
}
/**
* @expectedException RuntimeException
*/
public function testGetHostWithFakeHttpHostValue()
{
$request = new Request();
$request->initialize(array(), array(), array(), array(), array(), array('HTTP_HOST' => 'www.host.com?query=string'));
$request->getHost();
} }
/** /**