Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix missing extra trusted header in sub-request
  • Loading branch information
jderusse committed Oct 9, 2021
1 parent 8089778 commit 95dcf51
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 0 deletions.
Expand Up @@ -38,6 +38,7 @@ public static function handle(HttpKernelInterface $kernel, Request $request, int
'X_FORWARDED_HOST' => $trustedHeaderSet & Request::HEADER_X_FORWARDED_HOST,
'X_FORWARDED_PROTO' => $trustedHeaderSet & Request::HEADER_X_FORWARDED_PROTO,
'X_FORWARDED_PORT' => $trustedHeaderSet & Request::HEADER_X_FORWARDED_PORT,
'X_FORWARDED_PREFIX' => $trustedHeaderSet & Request::HEADER_X_FORWARDED_PREFIX,
];
foreach (array_filter($trustedHeaders) as $name => $key) {
$request->headers->remove($name);
Expand Down
Expand Up @@ -42,13 +42,15 @@ public function testTrustedHeadersAreKept()
$request->headers->set('X-Forwarded-Host', 'Good');
$request->headers->set('X-Forwarded-Port', '1234');
$request->headers->set('X-Forwarded-Proto', 'https');
$request->headers->set('X-Forwarded-Prefix', '/admin');

$kernel = new TestSubRequestHandlerKernel(function ($request, $type, $catch) {
$this->assertSame('127.0.0.1', $request->server->get('REMOTE_ADDR'));
$this->assertSame('10.0.0.2', $request->getClientIp());
$this->assertSame('Good', $request->headers->get('X-Forwarded-Host'));
$this->assertSame('1234', $request->headers->get('X-Forwarded-Port'));
$this->assertSame('https', $request->headers->get('X-Forwarded-Proto'));
$this->assertSame('/admin', $request->headers->get('X-Forwarded-Prefix'));
});

SubRequestHandler::handle($kernel, $request, HttpKernelInterface::MAIN_REQUEST, true);
Expand All @@ -64,6 +66,7 @@ public function testUntrustedHeadersAreRemoved()
$request->headers->set('X-Forwarded-Host', 'Evil');
$request->headers->set('X-Forwarded-Port', '1234');
$request->headers->set('X-Forwarded-Proto', 'http');
$request->headers->set('X-Forwarded-Prefix', '/admin');
$request->headers->set('Forwarded', 'Evil2');

$kernel = new TestSubRequestHandlerKernel(function ($request, $type, $catch) {
Expand All @@ -72,6 +75,7 @@ public function testUntrustedHeadersAreRemoved()
$this->assertFalse($request->headers->has('X-Forwarded-Host'));
$this->assertFalse($request->headers->has('X-Forwarded-Port'));
$this->assertFalse($request->headers->has('X-Forwarded-Proto'));
$this->assertFalse($request->headers->has('X-Forwarded-Prefix'));
$this->assertSame('for="10.0.0.1";host="localhost";proto=http', $request->headers->get('Forwarded'));
});

Expand Down Expand Up @@ -112,12 +116,14 @@ public function testTrustedXForwardedForHeader()
$request->headers->set('X-Forwarded-For', '10.0.0.2');
$request->headers->set('X-Forwarded-Host', 'foo.bar');
$request->headers->set('X-Forwarded-Proto', 'https');
$request->headers->set('X-Forwarded-Prefix', '/admin');

$kernel = new TestSubRequestHandlerKernel(function ($request, $type, $catch) {
$this->assertSame('127.0.0.1', $request->server->get('REMOTE_ADDR'));
$this->assertSame('10.0.0.2', $request->getClientIp());
$this->assertSame('foo.bar', $request->getHttpHost());
$this->assertSame('https', $request->getScheme());
$this->assertSame('/admin', $request->getBaseUrl());
});

SubRequestHandler::handle($kernel, $request, HttpKernelInterface::MAIN_REQUEST, true);
Expand Down

1 comment on commit 95dcf51

@bencleric
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 changes

Please sign in to comment.