diogo
/
symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[HttpFoundation] Remove support for legacy and risky HTTP headers

This commit is contained in:
Nicolas Grekas 2018-07-14 21:56:04 +02:00
parent 091f9ff386
commit e447e8b921
3 changed files with 7 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/Symfony/Component/HttpFoundation/CHANGELOG.md
View File

@ -1,6 +1,12 @@
CHANGELOG
=========
2.8.44
------
* [BC BREAK] Support for the IIS-only `X_ORIGINAL_URL` and `X_REWRITE_URL`
HTTP headers has been dropped for security reasons.
2.8.0
-----

13
src/Symfony/Component/HttpFoundation/Request.php
View File

@ -1691,18 +1691,7 @@ class Request
{
$requestUri = '';
if ($this->headers->has('X_ORIGINAL_URL')) {
// IIS with Microsoft Rewrite Module
$requestUri = $this->headers->get('X_ORIGINAL_URL');
$this->headers->remove('X_ORIGINAL_URL');
$this->server->remove('HTTP_X_ORIGINAL_URL');
$this->server->remove('UNENCODED_URL');
$this->server->remove('IIS_WasUrlRewritten');
} elseif ($this->headers->has('X_REWRITE_URL')) {
// IIS with ISAPI_Rewrite
$requestUri = $this->headers->get('X_REWRITE_URL');
$this->headers->remove('X_REWRITE_URL');
} elseif ('1' == $this->server->get('IIS_WasUrlRewritten') && '' != $this->server->get('UNENCODED_URL')) {
if ('1' == $this->server->get('IIS_WasUrlRewritten') && '' != $this->server->get('UNENCODED_URL')) {
// IIS7 with URL Rewrite: make sure we get the unencoded URL (double slash problem)
$requestUri = $this->server->get('UNENCODED_URL');
$this->server->remove('UNENCODED_URL');

44
src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
View File

@ -1808,20 +1808,6 @@ class RequestTest extends TestCase
public function iisRequestUriProvider()
{
return array(
array(
array(
'X_ORIGINAL_URL' => '/foo/bar',
),
array(),
'/foo/bar',
),
array(
array(
'X_REWRITE_URL' => '/foo/bar',
),
array(),
'/foo/bar',
),
array(
array(),
array(
@ -1830,36 +1816,6 @@ class RequestTest extends TestCase
),
'/foo/bar',
),
array(
array(
'X_ORIGINAL_URL' => '/foo/bar',
),
array(
'HTTP_X_ORIGINAL_URL' => '/foo/bar',
),
'/foo/bar',
),
array(
array(
'X_ORIGINAL_URL' => '/foo/bar',
),
array(
'IIS_WasUrlRewritten' => '1',
'UNENCODED_URL' => '/foo/bar',
),
'/foo/bar',
),
array(
array(
'X_ORIGINAL_URL' => '/foo/bar',
),
array(
'HTTP_X_ORIGINAL_URL' => '/foo/bar',
'IIS_WasUrlRewritten' => '1',
'UNENCODED_URL' => '/foo/bar',
),
'/foo/bar',
),
array(
array(),
array(