From 2d11e41ef80fff4c3af208e7cf50c81cd4197eb4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Tvrd=C3=ADk?= Date: Thu, 9 Mar 2023 19:29:05 +0100 Subject: [PATCH] RequestFactory: fix X-Forwarded-Host mixup with remote host --- src/Http/RequestFactory.php | 23 +++++++++---------- .../Http/RequestFactory.proxy.forwarded.phpt | 8 +++---- .../RequestFactory.proxy.x-forwarded.phpt | 11 ++++----- 3 files changed, 20 insertions(+), 22 deletions(-) diff --git a/src/Http/RequestFactory.php b/src/Http/RequestFactory.php index f6ed6140..8556fe74 100644 --- a/src/Http/RequestFactory.php +++ b/src/Http/RequestFactory.php @@ -305,25 +305,24 @@ private function useForwardedProxy(Url $url, &$remoteAddr, &$remoteHost): void $remoteAddr = str_contains($address, '[') ? substr($address, 1, strpos($address, ']') - 1) // IPv6 : explode(':', $address)[0]; // IPv4 + $remoteHost = null; } if (isset($proxyParams['host']) && count($proxyParams['host']) === 1) { $host = $proxyParams['host'][0]; $startingDelimiterPosition = strpos($host, '['); if ($startingDelimiterPosition === false) { //IPv4 - $remoteHostArr = explode(':', $host); - $remoteHost = $remoteHostArr[0]; - $url->setHost($remoteHost); - if (isset($remoteHostArr[1])) { - $url->setPort((int) $remoteHostArr[1]); + $pair = explode(':', $host); + $url->setHost($pair[0]); + if (isset($pair[1])) { + $url->setPort((int) $pair[1]); } } else { //IPv6 $endingDelimiterPosition = strpos($host, ']'); - $remoteHost = substr($host, strpos($host, '[') + 1, $endingDelimiterPosition - 1); - $url->setHost($remoteHost); - $remoteHostArr = explode(':', substr($host, $endingDelimiterPosition)); - if (isset($remoteHostArr[1])) { - $url->setPort((int) $remoteHostArr[1]); + $url->setHost(substr($host, strpos($host, '[') + 1, $endingDelimiterPosition - 1)); + $pair = explode(':', substr($host, $endingDelimiterPosition)); + if (isset($pair[1])) { + $url->setPort((int) $pair[1]); } } } @@ -354,6 +353,7 @@ private function useNonstandardProxy(Url $url, &$remoteAddr, &$remoteHost): void ); if ($xForwardedForWithoutProxies) { $remoteAddr = trim(end($xForwardedForWithoutProxies)); + $remoteHost = null; $xForwardedForRealIpKey = key($xForwardedForWithoutProxies); } } @@ -361,8 +361,7 @@ private function useNonstandardProxy(Url $url, &$remoteAddr, &$remoteHost): void if (isset($xForwardedForRealIpKey) && !empty($_SERVER['HTTP_X_FORWARDED_HOST'])) { $xForwardedHost = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']); if (isset($xForwardedHost[$xForwardedForRealIpKey])) { - $remoteHost = trim($xForwardedHost[$xForwardedForRealIpKey]); - $url->setHost($remoteHost); + $url->setHost(trim($xForwardedHost[$xForwardedForRealIpKey])); } } } diff --git a/tests/Http/RequestFactory.proxy.forwarded.phpt b/tests/Http/RequestFactory.proxy.forwarded.phpt index d4cb4ede..b8ed7851 100644 --- a/tests/Http/RequestFactory.proxy.forwarded.phpt +++ b/tests/Http/RequestFactory.proxy.forwarded.phpt @@ -25,7 +25,7 @@ test('', function () { $factory->setProxy('127.0.0.1/8'); Assert::same('23.75.45.200', $factory->fromGlobals()->getRemoteAddress()); - Assert::same('192.168.0.1', @$factory->fromGlobals()->getRemoteHost()); // deprecated + Assert::null(@$factory->fromGlobals()->getRemoteHost()); // deprecated $url = $factory->fromGlobals()->getUrl(); Assert::same('http', $url->getScheme()); @@ -43,7 +43,7 @@ test('', function () { $factory->setProxy('127.0.0.3'); Assert::same('23.75.45.200', $factory->fromGlobals()->getRemoteAddress()); - Assert::same('192.168.0.1', @$factory->fromGlobals()->getRemoteHost()); // deprecated + Assert::null(@$factory->fromGlobals()->getRemoteHost()); // deprecated $url = $factory->fromGlobals()->getUrl(); Assert::same(8080, $url->getPort()); @@ -62,7 +62,7 @@ test('', function () { $factory->setProxy('127.0.0.3'); Assert::same('2001:db8:cafe::17', $factory->fromGlobals()->getRemoteAddress()); - Assert::same('2001:db8:cafe::18', @$factory->fromGlobals()->getRemoteHost()); // deprecated + Assert::null(@$factory->fromGlobals()->getRemoteHost()); // deprecated $url = $factory->fromGlobals()->getUrl(); Assert::same('2001:db8:cafe::18', $url->getHost()); @@ -79,7 +79,7 @@ test('', function () { $factory->setProxy('127.0.0.3'); Assert::same('2001:db8:cafe::17', $factory->fromGlobals()->getRemoteAddress()); - Assert::same('2001:db8:cafe::18', @$factory->fromGlobals()->getRemoteHost()); // deprecated + Assert::null(@$factory->fromGlobals()->getRemoteHost()); // deprecated $url = $factory->fromGlobals()->getUrl(); Assert::same(47832, $url->getPort()); diff --git a/tests/Http/RequestFactory.proxy.x-forwarded.phpt b/tests/Http/RequestFactory.proxy.x-forwarded.phpt index c13e2032..ec7a0ad4 100644 --- a/tests/Http/RequestFactory.proxy.x-forwarded.phpt +++ b/tests/Http/RequestFactory.proxy.x-forwarded.phpt @@ -27,7 +27,7 @@ test('', function () { $factory->setProxy('127.0.0.1/8'); Assert::same('23.75.45.200', $factory->fromGlobals()->getRemoteAddress()); - Assert::same('otherhost', @$factory->fromGlobals()->getRemoteHost()); // deprecated + Assert::null(@$factory->fromGlobals()->getRemoteHost()); // deprecated $url = $factory->fromGlobals()->getUrl(); Assert::same('otherhost', $url->getHost()); @@ -44,12 +44,11 @@ test('', function () { $factory = new RequestFactory; $factory->setProxy('10.0.0.0/24'); Assert::same('172.16.0.1', $factory->fromGlobals()->getRemoteAddress()); - Assert::same('real', @$factory->fromGlobals()->getRemoteHost()); // deprecated + Assert::null(@$factory->fromGlobals()->getRemoteHost()); // deprecated + Assert::same('real', $factory->fromGlobals()->getUrl()->getHost()); $factory->setProxy(['10.0.0.1', '10.0.0.2']); Assert::same('172.16.0.1', $factory->fromGlobals()->getRemoteAddress()); - Assert::same('real', @$factory->fromGlobals()->getRemoteHost()); // deprecated - - $url = $factory->fromGlobals()->getUrl(); - Assert::same('real', $url->getHost()); + Assert::null(@$factory->fromGlobals()->getRemoteHost()); // deprecated + Assert::same('real', $factory->fromGlobals()->getUrl()->getHost()); });