bug#9103 [HttpFoundation] Header HTTP_X_FORWARDED_PROTO
can contain various values (stloyd)
This PR was merged into the 2.2 branch.
Discussion
----------
[HttpFoundation] Header `HTTP_X_FORWARDED_PROTO` can contain various values
Header `HTTP_X_FORWARDED_PROTO` can contain various values. Some proxies use `ssl` instead of `https`, as well as Lighttpd mod_proxy allows value chaining (`https, http`, where `https` is always first when request is encrypted).
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Tests pass? | yes
| Fixed tickets | #9101
| License | MIT
Commits
-------
d997443
[HttpFoundation] Header `HTTP_X_FORWARDED_PROTO` can contain various values Some proxies use `ssl` instead of `https`, as well as Lighttpd mod_proxy allows value chaining (`https, http`, where `https` is always first when request is encrypted).
This commit is contained in:
commit
757efb656e
@ -1066,7 +1066,7 @@ class Request
|
||||
public function isSecure()
|
||||
{
|
||||
if (self::$trustProxy && self::$trustedHeaders[self::HEADER_CLIENT_PROTO] && $proto = $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_PROTO])) {
|
||||
return in_array(strtolower($proto), array('https', 'on', '1'));
|
||||
return in_array(strtolower(current(explode(',', $proto))), array('https', 'on', 'ssl', '1'));
|
||||
}
|
||||
|
||||
return 'on' == strtolower($this->server->get('HTTPS')) || 1 == $this->server->get('HTTPS');
|
||||
|
@ -1438,6 +1438,13 @@ class RequestTest extends \PHPUnit_Framework_TestCase
|
||||
$this->assertEquals(443, $request->getPort());
|
||||
$this->assertTrue($request->isSecure());
|
||||
|
||||
// check various X_FORWARDED_PROTO header values
|
||||
$request->headers->set('X_FORWARDED_PROTO', 'ssl');
|
||||
$this->assertTrue($request->isSecure());
|
||||
|
||||
$request->headers->set('X_FORWARDED_PROTO', 'https, http');
|
||||
$this->assertTrue($request->isSecure());
|
||||
|
||||
// custom header names
|
||||
Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, 'X_MY_FOR');
|
||||
Request::setTrustedHeaderName(Request::HEADER_CLIENT_HOST, 'X_MY_HOST');
|
||||
|
Reference in New Issue
Block a user