Request: Move Basic Auth credential from Url to Request due to preven…

…t leak it (#211)
nette · Mar 1, 2022 · e99694a · e99694a
1 parent 04224e7
commit e99694a
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 12 deletions.
diff --git a/src/Http/Request.php b/src/Http/Request.php
@@ -52,6 +52,10 @@ class Request implements IRequest
 	/** @var ?callable */
 	private $rawBodyCallback;
 
+	private ?string $user;
+
+	private ?string $password;
+
 
 	public function __construct(
 		UrlScript $url,
@@ -63,6 +67,8 @@ public function __construct(
 		?string $remoteAddress = null,
 		?string $remoteHost = null,
 		?callable $rawBodyCallback = null,
+		?string $user = null,
+		?string $password = null,
 	) {
 		$this->url = $url;
 		$this->post = (array) $post;
@@ -73,6 +79,8 @@ public function __construct(
 		$this->remoteAddress = $remoteAddress;
 		$this->remoteHost = $remoteHost;
 		$this->rawBodyCallback = $rawBodyCallback;
+		$this->user = $user;
+		$this->password = $password;
 	}
 
 
@@ -274,6 +282,18 @@ public function getRawBody(): ?string
 	}
 
 
+	public function getUser(): ?string
+	{
+		return $this->user;
+	}
+
+
+	public function getPassword(): ?string
+	{
+		return $this->password;
+	}
+
+
 	/**
 	 * Returns the most preferred language by browser. Uses the `Accept-Language` header. If no match is reached, it returns `null`.
 	 * @param  string[]  $langs  supported languages

diff --git a/src/Http/RequestFactory.php b/src/Http/RequestFactory.php
@@ -59,9 +59,9 @@ public function fromGlobals(): Request
 		$url = new Url;
 		$this->getServer($url);
 		$this->getPathAndQuery($url);
-		$this->getUserAndPassword($url);
 		[$post, $cookies] = $this->getGetPostCookie($url);
 		[$remoteAddr, $remoteHost] = $this->getClient($url);
+		[$user, $password] = $this->getUserAndPassword();
 
 		return new Request(
 			new UrlScript($url, $this->getScriptPath($url)),
@@ -73,6 +73,8 @@ public function fromGlobals(): Request
 			$remoteAddr,
 			$remoteHost,
 			fn(): string => file_get_contents('php://input'),
+			$user,
+			$password,
 		);
 	}
 
@@ -109,13 +111,6 @@ private function getPathAndQuery(Url $url): void
 	}
 
 
-	private function getUserAndPassword(Url $url): void
-	{
-		$url->setUser($_SERVER['PHP_AUTH_USER'] ?? '');
-		$url->setPassword($_SERVER['PHP_AUTH_PW'] ?? '');
-	}
-
-
 	private function getScriptPath(Url $url): string
 	{
 		if (PHP_SAPI === 'cli-server') {
@@ -290,6 +285,15 @@ private function getClient(Url $url): array
 	}
 
 
+	private function getUserAndPassword(): array
+	{
+		$user = $_SERVER['PHP_AUTH_USER'] ?? null;
+		$password = $_SERVER['PHP_AUTH_PW'] ?? null;
+
+		return [$user, $password];
+	}
+
+
 	private function useForwardedProxy(Url $url, &$remoteAddr, &$remoteHost): void
 	{
 		$forwardParams = preg_split('/[,;]/', $_SERVER['HTTP_FORWARDED']);

diff --git a/tests/Http/RequestFactory.userAndPassword.phpt b/tests/Http/RequestFactory.userAndPassword.phpt
@@ -18,11 +18,11 @@ $_SERVER = [
 	'PHP_AUTH_PW' => 'password',
 ];
 $factory = new RequestFactory;
-Assert::same('user', $factory->fromGlobals()->getUrl()->getUser());
-Assert::same('password', $factory->fromGlobals()->getUrl()->getPassword());
+Assert::same('user', $factory->fromGlobals()->getUser());
+Assert::same('password', $factory->fromGlobals()->getPassword());
 
 
 $_SERVER = [];
 $factory = new RequestFactory;
-Assert::same('', $factory->fromGlobals()->getUrl()->getUser());
-Assert::same('', $factory->fromGlobals()->getUrl()->getPassword());
+Assert::same(null, $factory->fromGlobals()->getUser());
+Assert::same(null, $factory->fromGlobals()->getPassword());