From 63f8e02d1d69a88859492d88f0419893f06c254f Mon Sep 17 00:00:00 2001 From: mbn18 Date: Mon, 3 Jun 2013 21:58:10 +0300 Subject: [PATCH 1/7] Update Request.php --- src/PhpEnvironment/Request.php | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/src/PhpEnvironment/Request.php b/src/PhpEnvironment/Request.php index bc722d5b2..5f04a58ef 100644 --- a/src/PhpEnvironment/Request.php +++ b/src/PhpEnvironment/Request.php @@ -257,8 +257,18 @@ public function setServer(ParametersInterface $server) // URI host & port $host = null; $port = null; - // Set the host. HTTP_HOST will take precedence over SERVER_NAME as it will reflect the requested URL (not necessarily the server name) - if (isset($this->serverParams['HTTP_HOST']) || isset($this->serverParams['SERVER_NAME'])) { + + // Set the host + if ($this->getHeaders()->get('host')) { + $host = $this->getHeaders()->get('host')->getFieldValue(); + // works for regname, IPv4 & IPv6 + if (preg_match('|\:(\d+)$|', $host, $matches)) { + $host = substr($host, 0, -1 * (strlen($matches[1]) + 1)); + $port = (int) $matches[1]; + } + } + // Do we need HTTP_POST???? + elseif (isset($this->serverParams['HTTP_HOST']) || isset($this->serverParams['SERVER_NAME'])) { $host = (isset($this->serverParams['HTTP_HOST'])) ? $this->serverParams['HTTP_HOST'] : $this->serverParams['SERVER_NAME']; if (isset($this->serverParams['SERVER_PORT'])) { $port = (int) $this->serverParams['SERVER_PORT']; @@ -273,13 +283,6 @@ public function setServer(ParametersInterface $server) $port = null; } } - } elseif ($this->getHeaders()->get('host')) { - $host = $this->getHeaders()->get('host')->getFieldValue(); - // works for regname, IPv4 & IPv6 - if (preg_match('|\:(\d+)$|', $host, $matches)) { - $host = substr($host, 0, -1 * (strlen($matches[1]) + 1)); - $port = (int) $matches[1]; - } } $uri->setHost($host); $uri->setPort($port); From bb9285d368130ee6dcd58fff18d180674ffd90b9 Mon Sep 17 00:00:00 2001 From: mbn18 Date: Mon, 3 Jun 2013 22:12:00 +0300 Subject: [PATCH 2/7] Update Request.php --- src/PhpEnvironment/Request.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/PhpEnvironment/Request.php b/src/PhpEnvironment/Request.php index 5f04a58ef..f76c69959 100644 --- a/src/PhpEnvironment/Request.php +++ b/src/PhpEnvironment/Request.php @@ -267,9 +267,8 @@ public function setServer(ParametersInterface $server) $port = (int) $matches[1]; } } - // Do we need HTTP_POST???? - elseif (isset($this->serverParams['HTTP_HOST']) || isset($this->serverParams['SERVER_NAME'])) { - $host = (isset($this->serverParams['HTTP_HOST'])) ? $this->serverParams['HTTP_HOST'] : $this->serverParams['SERVER_NAME']; + elseif (isset($this->serverParams['SERVER_NAME'])) { + $host = $this->serverParams['SERVER_NAME']; if (isset($this->serverParams['SERVER_PORT'])) { $port = (int) $this->serverParams['SERVER_PORT']; } From 1b96ea200a582af5cf2a5425043e9c329d3da8fe Mon Sep 17 00:00:00 2001 From: mbn18 Date: Mon, 3 Jun 2013 22:14:14 +0300 Subject: [PATCH 3/7] Update Request.php --- src/PhpEnvironment/Request.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/PhpEnvironment/Request.php b/src/PhpEnvironment/Request.php index f76c69959..47ee3a875 100644 --- a/src/PhpEnvironment/Request.php +++ b/src/PhpEnvironment/Request.php @@ -266,8 +266,7 @@ public function setServer(ParametersInterface $server) $host = substr($host, 0, -1 * (strlen($matches[1]) + 1)); $port = (int) $matches[1]; } - } - elseif (isset($this->serverParams['SERVER_NAME'])) { + } elseif (isset($this->serverParams['SERVER_NAME'])) { $host = $this->serverParams['SERVER_NAME']; if (isset($this->serverParams['SERVER_PORT'])) { $port = (int) $this->serverParams['SERVER_PORT']; From ecebbe3a235027cfec05a0ceaef2ab266e3aa122 Mon Sep 17 00:00:00 2001 From: mbn18 Date: Mon, 3 Jun 2013 22:28:52 +0300 Subject: [PATCH 4/7] Update RequestTest.php --- test/PhpEnvironment/RequestTest.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/test/PhpEnvironment/RequestTest.php b/test/PhpEnvironment/RequestTest.php index 0fe70e6c0..f054aba97 100644 --- a/test/PhpEnvironment/RequestTest.php +++ b/test/PhpEnvironment/RequestTest.php @@ -324,6 +324,16 @@ public static function serverHostnameProvider() '80', '/news', ), + array( + array( + 'SERVER_NAME' => 'test.example.com', + 'HTTP_HOST' => 'requested.example.com', + 'REQUEST_URI' => 'http://test.example.com/news', + ), + 'requested.example.com', + '80', + '/news', + ), array( array( 'SERVER_NAME' => '[1:2:3:4:5:6::6]', From e718c542594993a5def3abd3cea9aa4e6d96b90d Mon Sep 17 00:00:00 2001 From: mbn18 Date: Mon, 10 Jun 2013 23:52:03 +0300 Subject: [PATCH 5/7] Update RequestTest.php Added test for spoofed HTTP_HOST --- test/PhpEnvironment/RequestTest.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/test/PhpEnvironment/RequestTest.php b/test/PhpEnvironment/RequestTest.php index f054aba97..ddb6a56ca 100644 --- a/test/PhpEnvironment/RequestTest.php +++ b/test/PhpEnvironment/RequestTest.php @@ -334,6 +334,16 @@ public static function serverHostnameProvider() '80', '/news', ), + array( + array( + 'SERVER_NAME' => 'test.example.com', + 'HTTP_HOST' => '', + 'REQUEST_URI' => 'http://test.example.com/news', + ), + 'test.example.com', + '80', + '/news', + ), array( array( 'SERVER_NAME' => '[1:2:3:4:5:6::6]', From 01aabffc581671973cdaa2adbd6396a457bbac5d Mon Sep 17 00:00:00 2001 From: mbn18 Date: Mon, 10 Jun 2013 23:55:18 +0300 Subject: [PATCH 6/7] Update Request.php --- src/PhpEnvironment/Request.php | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/src/PhpEnvironment/Request.php b/src/PhpEnvironment/Request.php index 47ee3a875..97774f17b 100644 --- a/src/PhpEnvironment/Request.php +++ b/src/PhpEnvironment/Request.php @@ -261,12 +261,29 @@ public function setServer(ParametersInterface $server) // Set the host if ($this->getHeaders()->get('host')) { $host = $this->getHeaders()->get('host')->getFieldValue(); + // works for regname, IPv4 & IPv6 if (preg_match('|\:(\d+)$|', $host, $matches)) { $host = substr($host, 0, -1 * (strlen($matches[1]) + 1)); $port = (int) $matches[1]; } - } elseif (isset($this->serverParams['SERVER_NAME'])) { + + // set up a validator that check if the hostname is legal (not spoofed) + $hostnameValidator = new \Zend\Validator\Hostname( + array( + 'allow'=>\Zend\Validator\Hostname::ALLOW_ALL, + 'useIdnCheck'=>false, + 'useTldCheck'=>false + ) + ); + // If invalid. Reset the host & port + if (!$hostnameValidator->isValid($host)) { + $host = null; + $port = null; + } + } + + if (!$host && isset($this->serverParams['SERVER_NAME'])) { $host = $this->serverParams['SERVER_NAME']; if (isset($this->serverParams['SERVER_PORT'])) { $port = (int) $this->serverParams['SERVER_PORT']; From c1e2788a7a78dd6dfff324a42eda037fc9da3e51 Mon Sep 17 00:00:00 2001 From: Matthew Weier O'Phinney Date: Mon, 10 Jun 2013 17:11:07 -0500 Subject: [PATCH 7/7] [zendframework/zf2#4581] CS fixes, composer updates - Import hostname validator - CS around arguments for hostname validator constructor - Added zend-validator to required components, as it's used for hostname validation --- src/PhpEnvironment/Request.php | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/PhpEnvironment/Request.php b/src/PhpEnvironment/Request.php index 97774f17b..9b57fcad7 100644 --- a/src/PhpEnvironment/Request.php +++ b/src/PhpEnvironment/Request.php @@ -14,6 +14,7 @@ use Zend\Stdlib\Parameters; use Zend\Stdlib\ParametersInterface; use Zend\Uri\Http as HttpUri; +use Zend\Validator\Hostname as HostnameValidator; /** * HTTP Request for current PHP environment @@ -269,13 +270,11 @@ public function setServer(ParametersInterface $server) } // set up a validator that check if the hostname is legal (not spoofed) - $hostnameValidator = new \Zend\Validator\Hostname( - array( - 'allow'=>\Zend\Validator\Hostname::ALLOW_ALL, - 'useIdnCheck'=>false, - 'useTldCheck'=>false - ) - ); + $hostnameValidator = new HostnameValidator(array( + 'allow' => HostnameValidator::ALLOW_ALL, + 'useIdnCheck' => false, + 'useTldCheck' => false, + )); // If invalid. Reset the host & port if (!$hostnameValidator->isValid($host)) { $host = null;