diogo
/
symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

isFromTrustedProxy to confirm request came from a trusted proxy.

This commit is contained in:
James Gilliland 2015-02-17 11:56:59 -06:00 committed by Fabien Potencier
parent 9215c222ff
commit 6c73f0ce93
2 changed files with 34 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/Symfony/Component/HttpFoundation/Request.php
View File

@ -791,7 +791,7 @@ class Request
{ {
$ip = $this->server->get('REMOTE_ADDR'); $ip = $this->server->get('REMOTE_ADDR');
if (!self::$trustedProxies) { if (!$this->isFromTrustedProxy()) {
return array($ip); return array($ip);
} }
@ -957,7 +957,7 @@ class Request
*/ */
public function getPort() public function getPort()
{ {
if (self::$trustedProxies) { if ($this->isFromTrustedProxy()) {
if (self::$trustedHeaders[self::HEADER_CLIENT_PORT] && $port = $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_PORT])) { if (self::$trustedHeaders[self::HEADER_CLIENT_PORT] && $port = $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_PORT])) {
return $port; return $port;
} }
@ -1138,7 +1138,7 @@ class Request
*/ */
public function isSecure() public function isSecure()
{ {
if (self::$trustedProxies && self::$trustedHeaders[self::HEADER_CLIENT_PROTO] && $proto = $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_PROTO])) { if ($this->isFromTrustedProxy() && self::$trustedHeaders[self::HEADER_CLIENT_PROTO] && $proto = $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_PROTO])) {
return in_array(strtolower(current(explode(',', $proto))), array('https', 'on', 'ssl', '1')); return in_array(strtolower(current(explode(',', $proto))), array('https', 'on', 'ssl', '1'));
} }
@ -1166,7 +1166,7 @@ class Request
*/ */
public function getHost() public function getHost()
{ {
if (self::$trustedProxies && self::$trustedHeaders[self::HEADER_CLIENT_HOST] && $host = $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_HOST])) { if ($this->isFromTrustedProxy() && self::$trustedHeaders[self::HEADER_CLIENT_HOST] && $host = $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_HOST])) {
$elements = explode(',', $host); $elements = explode(',', $host);
$host = $elements[count($elements) - 1]; $host = $elements[count($elements) - 1];
@ -1853,4 +1853,9 @@ class Request
return false; return false;
} }
private function isFromTrustedProxy()
{
return self::$trustedProxies && IpUtils::checkIp($this->server->get('REMOTE_ADDR'), self::$trustedProxies);
}
} }

38
src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
View File

@ -722,35 +722,37 @@ class RequestTest extends \PHPUnit_Framework_TestCase
'HTTP_X_FORWARDED_PROTO' => 'https', 'HTTP_X_FORWARDED_PROTO' => 'https',
'HTTP_X_FORWARDED_PORT' => '8443', 'HTTP_X_FORWARDED_PORT' => '8443',
)); ));
$port = $request->getPort(); $this->assertEquals(80, $request->getPort(), 'With PROTO and PORT on untrusted connection server value takes precedence.');
$request->server->set('REMOTE_ADDR', '1.1.1.1');
$this->assertEquals(8443, $port, 'With PROTO and PORT set PORT takes precedence.'); $this->assertEquals(8443, $request->getPort(), 'With PROTO and PORT set PORT takes precedence.');
$request = Request::create('http://example.com', 'GET', array(), array(), array(), array( $request = Request::create('http://example.com', 'GET', array(), array(), array(), array(
'HTTP_X_FORWARDED_PROTO' => 'https', 'HTTP_X_FORWARDED_PROTO' => 'https',
)); ));
$port = $request->getPort(); $this->assertEquals(80, $request->getPort(), 'With only PROTO set getPort() ignores trusted headers on untrusted connection.');
$request->server->set('REMOTE_ADDR', '1.1.1.1');
$this->assertEquals(443, $port, 'With only PROTO set getPort() defaults to 443.'); $this->assertEquals(443, $request->getPort(), 'With only PROTO set getPort() defaults to 443.');
$request = Request::create('http://example.com', 'GET', array(), array(), array(), array( $request = Request::create('http://example.com', 'GET', array(), array(), array(), array(
'HTTP_X_FORWARDED_PROTO' => 'http', 'HTTP_X_FORWARDED_PROTO' => 'http',
)); ));
$port = $request->getPort(); $this->assertEquals(80, $request->getPort(), 'If X_FORWARDED_PROTO is set to HTTP getPort() ignores trusted headers on untrusted connection.');
$request->server->set('REMOTE_ADDR', '1.1.1.1');
$this->assertEquals(80, $port, 'If X_FORWARDED_PROTO is set to HTTP return 80.'); $this->assertEquals(80, $request->getPort(), 'If X_FORWARDED_PROTO is set to HTTP getPort() returns port of the original request.');
$request = Request::create('http://example.com', 'GET', array(), array(), array(), array( $request = Request::create('http://example.com', 'GET', array(), array(), array(), array(
'HTTP_X_FORWARDED_PROTO' => 'On', 'HTTP_X_FORWARDED_PROTO' => 'On',
)); ));
$port = $request->getPort(); $this->assertEquals(80, $request->getPort(), 'With only PROTO set and value is On, getPort() ignores trusted headers on untrusted connection.');
$this->assertEquals(443, $port, 'With only PROTO set and value is On, getPort() defaults to 443.'); $request->server->set('REMOTE_ADDR', '1.1.1.1');
$this->assertEquals(443, $request->getPort(), 'With only PROTO set and value is On, getPort() defaults to 443.');
$request = Request::create('http://example.com', 'GET', array(), array(), array(), array( $request = Request::create('http://example.com', 'GET', array(), array(), array(), array(
'HTTP_X_FORWARDED_PROTO' => '1', 'HTTP_X_FORWARDED_PROTO' => '1',
)); ));
$port = $request->getPort(); $this->assertEquals(80, $request->getPort(), 'With only PROTO set and value is 1, getPort() ignores trusted headers on untrusted connection.');
$this->assertEquals(443, $port, 'With only PROTO set and value is 1, getPort() defaults to 443.'); $request->server->set('REMOTE_ADDR', '1.1.1.1');
$this->assertEquals(443, $request->getPort(), 'With only PROTO set and value is 1, getPort() defaults to 443.');
$request = Request::create('http://example.com', 'GET', array(), array(), array(), array( $request = Request::create('http://example.com', 'GET', array(), array(), array(), array(
'HTTP_X_FORWARDED_PROTO' => 'something-else', 'HTTP_X_FORWARDED_PROTO' => 'something-else',
@ -1020,6 +1022,8 @@ class RequestTest extends \PHPUnit_Framework_TestCase
$request->headers->set('X_FORWARDED_PROTO', 'https'); $request->headers->set('X_FORWARDED_PROTO', 'https');
Request::setTrustedProxies(array('1.1.1.1')); Request::setTrustedProxies(array('1.1.1.1'));
$this->assertFalse($request->isSecure());
$request->server->set('REMOTE_ADDR', '1.1.1.1');
$this->assertTrue($request->isSecure()); $this->assertTrue($request->isSecure());
Request::setTrustedProxies(array()); Request::setTrustedProxies(array());
@ -1455,7 +1459,15 @@ class RequestTest extends \PHPUnit_Framework_TestCase
$this->assertEquals(443, $request->getPort()); $this->assertEquals(443, $request->getPort());
$this->assertTrue($request->isSecure()); $this->assertTrue($request->isSecure());
// trusted proxy via setTrustedProxies()
Request::setTrustedProxies(array('3.3.3.4', '2.2.2.2'));
$this->assertEquals('3.3.3.3', $request->getClientIp());
$this->assertEquals('example.com', $request->getHost());
$this->assertEquals(80, $request->getPort());
$this->assertFalse($request->isSecure());
// check various X_FORWARDED_PROTO header values // check various X_FORWARDED_PROTO header values
Request::setTrustedProxies(array('3.3.3.3', '2.2.2.2'));
$request->headers->set('X_FORWARDED_PROTO', 'ssl'); $request->headers->set('X_FORWARDED_PROTO', 'ssl');
$this->assertTrue($request->isSecure()); $this->assertTrue($request->isSecure());