Augmentation vers version 3.3.0
This commit is contained in:
Gauvain Boiché
@@ -30,26 +30,41 @@ class SubRequestHandler
|
||||
{
|
||||
// save global state related to trusted headers and proxies
|
||||
$trustedProxies = Request::getTrustedProxies();
|
||||
$trustedHeaders = array(
|
||||
Request::HEADER_FORWARDED => Request::getTrustedHeaderName(Request::HEADER_FORWARDED),
|
||||
Request::HEADER_CLIENT_IP => Request::getTrustedHeaderName(Request::HEADER_CLIENT_IP),
|
||||
Request::HEADER_CLIENT_HOST => Request::getTrustedHeaderName(Request::HEADER_CLIENT_HOST),
|
||||
Request::HEADER_CLIENT_PROTO => Request::getTrustedHeaderName(Request::HEADER_CLIENT_PROTO),
|
||||
Request::HEADER_CLIENT_PORT => Request::getTrustedHeaderName(Request::HEADER_CLIENT_PORT),
|
||||
);
|
||||
$trustedHeaderSet = Request::getTrustedHeaderSet();
|
||||
if (method_exists(Request::class, 'getTrustedHeaderName')) {
|
||||
Request::setTrustedProxies($trustedProxies, -1);
|
||||
$trustedHeaders = [
|
||||
Request::HEADER_FORWARDED => Request::getTrustedHeaderName(Request::HEADER_FORWARDED, false),
|
||||
Request::HEADER_X_FORWARDED_FOR => Request::getTrustedHeaderName(Request::HEADER_X_FORWARDED_FOR, false),
|
||||
Request::HEADER_X_FORWARDED_HOST => Request::getTrustedHeaderName(Request::HEADER_X_FORWARDED_HOST, false),
|
||||
Request::HEADER_X_FORWARDED_PROTO => Request::getTrustedHeaderName(Request::HEADER_X_FORWARDED_PROTO, false),
|
||||
Request::HEADER_X_FORWARDED_PORT => Request::getTrustedHeaderName(Request::HEADER_X_FORWARDED_PORT, false),
|
||||
];
|
||||
Request::setTrustedProxies($trustedProxies, $trustedHeaderSet);
|
||||
} else {
|
||||
$trustedHeaders = [
|
||||
Request::HEADER_FORWARDED => 'FORWARDED',
|
||||
Request::HEADER_X_FORWARDED_FOR => 'X_FORWARDED_FOR',
|
||||
Request::HEADER_X_FORWARDED_HOST => 'X_FORWARDED_HOST',
|
||||
Request::HEADER_X_FORWARDED_PROTO => 'X_FORWARDED_PROTO',
|
||||
Request::HEADER_X_FORWARDED_PORT => 'X_FORWARDED_PORT',
|
||||
];
|
||||
}
|
||||
|
||||
// remove untrusted values
|
||||
$remoteAddr = $request->server->get('REMOTE_ADDR');
|
||||
if (!IpUtils::checkIp($remoteAddr, $trustedProxies)) {
|
||||
foreach (array_filter($trustedHeaders) as $name) {
|
||||
$request->headers->remove($name);
|
||||
$request->server->remove('HTTP_'.strtoupper(str_replace('-', '_', $name)));
|
||||
foreach ($trustedHeaders as $key => $name) {
|
||||
if ($trustedHeaderSet & $key) {
|
||||
$request->headers->remove($name);
|
||||
$request->server->remove('HTTP_'.strtoupper(str_replace('-', '_', $name)));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// compute trusted values, taking any trusted proxies into account
|
||||
$trustedIps = array();
|
||||
$trustedValues = array();
|
||||
$trustedIps = [];
|
||||
$trustedValues = [];
|
||||
foreach (array_reverse($request->getClientIps()) as $ip) {
|
||||
$trustedIps[] = $ip;
|
||||
$trustedValues[] = sprintf('for="%s"', $ip);
|
||||
@@ -60,19 +75,18 @@ class SubRequestHandler
|
||||
}
|
||||
|
||||
// set trusted values, reusing as much as possible the global trusted settings
|
||||
if ($name = $trustedHeaders[Request::HEADER_FORWARDED]) {
|
||||
if (Request::HEADER_FORWARDED & $trustedHeaderSet) {
|
||||
$trustedValues[0] .= sprintf(';host="%s";proto=%s', $request->getHttpHost(), $request->getScheme());
|
||||
$request->headers->set($name, $v = implode(', ', $trustedValues));
|
||||
$request->headers->set($name = $trustedHeaders[Request::HEADER_FORWARDED], $v = implode(', ', $trustedValues));
|
||||
$request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);
|
||||
}
|
||||
if ($name = $trustedHeaders[Request::HEADER_CLIENT_IP]) {
|
||||
$request->headers->set($name, $v = implode(', ', $trustedIps));
|
||||
if (Request::HEADER_X_FORWARDED_FOR & $trustedHeaderSet) {
|
||||
$request->headers->set($name = $trustedHeaders[Request::HEADER_X_FORWARDED_FOR], $v = implode(', ', $trustedIps));
|
||||
$request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);
|
||||
} elseif (!(Request::HEADER_FORWARDED & $trustedHeaderSet)) {
|
||||
Request::setTrustedProxies($trustedProxies, $trustedHeaderSet | Request::HEADER_X_FORWARDED_FOR);
|
||||
$request->headers->set($name = $trustedHeaders[Request::HEADER_X_FORWARDED_FOR], $v = implode(', ', $trustedIps));
|
||||
$request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);
|
||||
}
|
||||
if (!$name && !$trustedHeaders[Request::HEADER_FORWARDED]) {
|
||||
$request->headers->set('X-Forwarded-For', $v = implode(', ', $trustedIps));
|
||||
$request->server->set('HTTP_X_FORWARDED_FOR', $v);
|
||||
Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, 'X_FORWARDED_FOR');
|
||||
}
|
||||
|
||||
// fix the client IP address by setting it to 127.0.0.1,
|
||||
@@ -81,24 +95,14 @@ class SubRequestHandler
|
||||
|
||||
// ensure 127.0.0.1 is set as trusted proxy
|
||||
if (!IpUtils::checkIp('127.0.0.1', $trustedProxies)) {
|
||||
Request::setTrustedProxies(array_merge($trustedProxies, array('127.0.0.1')));
|
||||
Request::setTrustedProxies(array_merge($trustedProxies, ['127.0.0.1']), Request::getTrustedHeaderSet());
|
||||
}
|
||||
|
||||
try {
|
||||
$e = null;
|
||||
$response = $kernel->handle($request, $type, $catch);
|
||||
} catch (\Throwable $e) {
|
||||
} catch (\Exception $e) {
|
||||
return $kernel->handle($request, $type, $catch);
|
||||
} finally {
|
||||
// restore global state
|
||||
Request::setTrustedProxies($trustedProxies, $trustedHeaderSet);
|
||||
}
|
||||
|
||||
// restore global state
|
||||
Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, $trustedHeaders[Request::HEADER_CLIENT_IP]);
|
||||
Request::setTrustedProxies($trustedProxies);
|
||||
|
||||
if (null !== $e) {
|
||||
throw $e;
|
||||
}
|
||||
|
||||
return $response;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user