bug #26973 [HttpKernel] Set first trusted proxy as REMOTE_ADDR in InlineFragmentRenderer. (kmadejski)
This PR was squashed before being merged into the 2.8 branch (closes #26973).
Discussion
----------
[HttpKernel] Set first trusted proxy as REMOTE_ADDR in InlineFragmentRenderer.
| Q | A
| ------------- | ---
| Branch? | 2.7 and up
| Bug fix? | improvement
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ---
| License | MIT
| Doc PR | ---
SubRequest used in `InlineFragmentRendered` explicitly sets `$server['REMOTE_ADDR']` to `127.0.0.1`. Therefore, it's required to configure `127.0.0.1` address in TRUSTED_PROXIES environment variable. Without that, `Request::isFromTrustedProxy()` will return false.
The current behavior might be a little bit problematic, for instance, in case where images are rendered through subrequests. These might end-up with an incorrect schema in URL (`http` instead of `https`).
Commits
-------
18f55feef8
[HttpKernel] Set first trusted proxy as REMOTE_ADDR in InlineFragmentRenderer.
This commit is contained in:
commit
518ec864e9
@ -122,7 +122,9 @@ class InlineFragmentRenderer extends RoutableFragmentRenderer
|
|||||||
// Do nothing
|
// Do nothing
|
||||||
}
|
}
|
||||||
|
|
||||||
$server['REMOTE_ADDR'] = '127.0.0.1';
|
$trustedProxies = Request::getTrustedProxies();
|
||||||
|
$server['REMOTE_ADDR'] = $trustedProxies ? reset($trustedProxies) : '127.0.0.1';
|
||||||
|
|
||||||
unset($server['HTTP_IF_MODIFIED_SINCE']);
|
unset($server['HTTP_IF_MODIFIED_SINCE']);
|
||||||
unset($server['HTTP_IF_NONE_MATCH']);
|
unset($server['HTTP_IF_NONE_MATCH']);
|
||||||
|
|
||||||
|
@ -56,6 +56,7 @@ class InlineFragmentRendererTest extends TestCase
|
|||||||
$subRequest->attributes->replace(array('object' => $object, '_format' => 'html', '_controller' => 'main_controller', '_locale' => 'en'));
|
$subRequest->attributes->replace(array('object' => $object, '_format' => 'html', '_controller' => 'main_controller', '_locale' => 'en'));
|
||||||
$subRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
|
$subRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
|
||||||
$subRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
|
$subRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
|
||||||
|
$subRequest->server->set('REMOTE_ADDR', '1.1.1.1');
|
||||||
|
|
||||||
$strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest($subRequest));
|
$strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest($subRequest));
|
||||||
|
|
||||||
@ -84,7 +85,7 @@ class InlineFragmentRendererTest extends TestCase
|
|||||||
{
|
{
|
||||||
Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, '');
|
Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, '');
|
||||||
|
|
||||||
$strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest(Request::create('/')));
|
$strategy = new InlineFragmentRenderer($this->getKernelExpectingRequest(Request::create('/', 'GET', array(), array(), array(), array('REMOTE_ADDR' => '1.1.1.1'))));
|
||||||
$this->assertSame('foo', $strategy->render('/', Request::create('/'))->getContent());
|
$this->assertSame('foo', $strategy->render('/', Request::create('/'))->getContent());
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -168,6 +169,7 @@ class InlineFragmentRendererTest extends TestCase
|
|||||||
{
|
{
|
||||||
$expectedSubRequest = Request::create('/');
|
$expectedSubRequest = Request::create('/');
|
||||||
$expectedSubRequest->headers->set('Surrogate-Capability', 'abc="ESI/1.0"');
|
$expectedSubRequest->headers->set('Surrogate-Capability', 'abc="ESI/1.0"');
|
||||||
|
$expectedSubRequest->server->set('REMOTE_ADDR', '1.1.1.1');
|
||||||
|
|
||||||
if (Request::getTrustedHeaderName(Request::HEADER_CLIENT_IP)) {
|
if (Request::getTrustedHeaderName(Request::HEADER_CLIENT_IP)) {
|
||||||
$expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
|
$expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
|
||||||
@ -193,7 +195,7 @@ class InlineFragmentRendererTest extends TestCase
|
|||||||
|
|
||||||
public function testHeadersPossiblyResultingIn304AreNotAssignedToSubrequest()
|
public function testHeadersPossiblyResultingIn304AreNotAssignedToSubrequest()
|
||||||
{
|
{
|
||||||
$expectedSubRequest = Request::create('/');
|
$expectedSubRequest = Request::create('/', 'GET', array(), array(), array(), array('REMOTE_ADDR' => '1.1.1.1'));
|
||||||
if (Request::getTrustedHeaderName(Request::HEADER_CLIENT_IP)) {
|
if (Request::getTrustedHeaderName(Request::HEADER_CLIENT_IP)) {
|
||||||
$expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
|
$expectedSubRequest->headers->set('x-forwarded-for', array('127.0.0.1'));
|
||||||
$expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
|
$expectedSubRequest->server->set('HTTP_X_FORWARDED_FOR', '127.0.0.1');
|
||||||
|
Reference in New Issue
Block a user