RequestFactory: fix X-Forwarded-Host mixup with remote host

src/Http/RequestFactory.php

@@ -305,25 +305,24 @@ private function useForwardedProxy(Url $url, &$remoteAddr, &$remoteHost): void
 			$remoteAddr = str_contains($address, '[')
 				? substr($address, 1, strpos($address, ']') - 1) // IPv6
 				: explode(':', $address)[0];  // IPv4
+			$remoteHost = null;
 		}
 
 		if (isset($proxyParams['host']) && count($proxyParams['host']) === 1) {
 			$host = $proxyParams['host'][0];
 			$startingDelimiterPosition = strpos($host, '[');
 			if ($startingDelimiterPosition === false) { //IPv4
-				$remoteHostArr = explode(':', $host);
-				$remoteHost = $remoteHostArr[0];
-				$url->setHost($remoteHost);
-				if (isset($remoteHostArr[1])) {
-					$url->setPort((int) $remoteHostArr[1]);
+				$pair = explode(':', $host);
+				$url->setHost($pair[0]);
+				if (isset($pair[1])) {
+					$url->setPort((int) $pair[1]);
 				}
 			} else { //IPv6
 				$endingDelimiterPosition = strpos($host, ']');
-				$remoteHost = substr($host, strpos($host, '[') + 1, $endingDelimiterPosition - 1);
-				$url->setHost($remoteHost);
-				$remoteHostArr = explode(':', substr($host, $endingDelimiterPosition));
-				if (isset($remoteHostArr[1])) {
-					$url->setPort((int) $remoteHostArr[1]);
+				$url->setHost(substr($host, strpos($host, '[') + 1, $endingDelimiterPosition - 1));
+				$pair = explode(':', substr($host, $endingDelimiterPosition));
+				if (isset($pair[1])) {
+					$url->setPort((int) $pair[1]);
 				}
 			}
 		}
@@ -354,15 +353,15 @@ private function useNonstandardProxy(Url $url, &$remoteAddr, &$remoteHost): void
 			);
 			if ($xForwardedForWithoutProxies) {
 				$remoteAddr = trim(end($xForwardedForWithoutProxies));
+				$remoteHost = null;
 				$xForwardedForRealIpKey = key($xForwardedForWithoutProxies);
 			}
 		}
 
 		if (isset($xForwardedForRealIpKey) && !empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
 			$xForwardedHost = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']);
 			if (isset($xForwardedHost[$xForwardedForRealIpKey])) {
-				$remoteHost = trim($xForwardedHost[$xForwardedForRealIpKey]);
-				$url->setHost($remoteHost);
+				$url->setHost(trim($xForwardedHost[$xForwardedForRealIpKey]));
 			}
 		}
 	}

tests/Http/RequestFactory.proxy.forwarded.phpt

@@ -25,7 +25,7 @@ test('', function () {
 
 	$factory->setProxy('127.0.0.1/8');
 	Assert::same('23.75.45.200', $factory->fromGlobals()->getRemoteAddress());
-	Assert::same('192.168.0.1', @$factory->fromGlobals()->getRemoteHost()); // deprecated
+	Assert::null(@$factory->fromGlobals()->getRemoteHost()); // deprecated
 
 	$url = $factory->fromGlobals()->getUrl();
 	Assert::same('http', $url->getScheme());
@@ -43,7 +43,7 @@ test('', function () {
 
 	$factory->setProxy('127.0.0.3');
 	Assert::same('23.75.45.200', $factory->fromGlobals()->getRemoteAddress());
-	Assert::same('192.168.0.1', @$factory->fromGlobals()->getRemoteHost()); // deprecated
+	Assert::null(@$factory->fromGlobals()->getRemoteHost()); // deprecated
 
 	$url = $factory->fromGlobals()->getUrl();
 	Assert::same(8080, $url->getPort());
@@ -62,7 +62,7 @@ test('', function () {
 
 	$factory->setProxy('127.0.0.3');
 	Assert::same('2001:db8:cafe::17', $factory->fromGlobals()->getRemoteAddress());
-	Assert::same('2001:db8:cafe::18', @$factory->fromGlobals()->getRemoteHost()); // deprecated
+	Assert::null(@$factory->fromGlobals()->getRemoteHost()); // deprecated
 
 	$url = $factory->fromGlobals()->getUrl();
 	Assert::same('2001:db8:cafe::18', $url->getHost());
@@ -79,7 +79,7 @@ test('', function () {
 
 	$factory->setProxy('127.0.0.3');
 	Assert::same('2001:db8:cafe::17', $factory->fromGlobals()->getRemoteAddress());
-	Assert::same('2001:db8:cafe::18', @$factory->fromGlobals()->getRemoteHost()); // deprecated
+	Assert::null(@$factory->fromGlobals()->getRemoteHost()); // deprecated
 
 	$url = $factory->fromGlobals()->getUrl();
 	Assert::same(47832, $url->getPort());

tests/Http/RequestFactory.proxy.x-forwarded.phpt

@@ -27,7 +27,7 @@ test('', function () {
 
 	$factory->setProxy('127.0.0.1/8');
 	Assert::same('23.75.45.200', $factory->fromGlobals()->getRemoteAddress());
-	Assert::same('otherhost', @$factory->fromGlobals()->getRemoteHost()); // deprecated
+	Assert::null(@$factory->fromGlobals()->getRemoteHost()); // deprecated
 
 	$url = $factory->fromGlobals()->getUrl();
 	Assert::same('otherhost', $url->getHost());
@@ -44,12 +44,11 @@ test('', function () {
 	$factory = new RequestFactory;
 	$factory->setProxy('10.0.0.0/24');
 	Assert::same('172.16.0.1', $factory->fromGlobals()->getRemoteAddress());
-	Assert::same('real', @$factory->fromGlobals()->getRemoteHost()); // deprecated
+	Assert::null(@$factory->fromGlobals()->getRemoteHost()); // deprecated
+	Assert::same('real', $factory->fromGlobals()->getUrl()->getHost());
 
 	$factory->setProxy(['10.0.0.1', '10.0.0.2']);
 	Assert::same('172.16.0.1', $factory->fromGlobals()->getRemoteAddress());
-	Assert::same('real', @$factory->fromGlobals()->getRemoteHost()); // deprecated
-
-	$url = $factory->fromGlobals()->getUrl();
-	Assert::same('real', $url->getHost());
+	Assert::null(@$factory->fromGlobals()->getRemoteHost()); // deprecated
+	Assert::same('real', $factory->fromGlobals()->getUrl()->getHost());
 });