This repository has been archived on 2023-08-20. You can view files and clone it, but cannot push or open issues or pull requests.

Fabien Potencier 6251c4ee6e feature #38954 [HttpFundation][FrameworkBundle] Deprecate the HEADER_X_FORWARDED_ALL constant (jderusse) ... This PR was merged into the 5.2-dev branch. Discussion ---------- [HttpFundation][FrameworkBundle] Deprecate the HEADER_X_FORWARDED_ALL constant | Q | A | ------------- | --- | Branch? | 5.x | Bug fix? | no | New feature? | no | Deprecations? | yes | Tickets | - | License | MIT | Doc PR | TODO The `HEADER_X_FORWARDED_ALL` implicitly trust the `x-forwarded-host` header, leading to possible host header attack (as warned in the [documentation](https://symfony.com/doc/current/reference/configuration/framework.html#trusted-hosts).) Moreover, this `HEADER_X_FORWARDED_ALL` does not really fowards **all** headers, as ti does not supports `X-Forwarded-Prefix` headers. This PR deprecate the constant and the new framework bundle configuration. It will be removed in 6.0. People have to use: either: - `Request::setTrustedProxies(['1.2.3.4'], Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO);` - `Request::setTrustedProxies(['1.2.3.4'], Request::HEADER_X_FORWARDED_TRAEFIK);` - `framework.trusted_headers: [x-forwarded-for, x-forwarded-host, x-forwarded-port, x-forwarded-proto]` Commits ------- 7cf4dd6917 Deprecate HEADER_X_FORWARDED_ALL constant		2020-11-04 08:16:55 +01:00
..
Doctrine	Merge branch '5.1' into 5.x	2020-11-01 17:14:45 +01:00
Monolog	Deprecate HEADER_X_FORWARDED_ALL constant	2020-11-02 17:16:33 +01:00
PhpUnit	Merge branch '5.1' into 5.x	2020-11-03 13:14:28 +01:00
ProxyManager	Merge branch '4.4' into 5.1	2020-10-27 11:11:13 +01:00
Twig	Merge branch '5.1' into 5.x	2020-10-28 22:46:03 +01:00