verify idekey if set on both sides and IP of connecting debug engine

Author: cadorn

README.md

@@ -46,20 +46,21 @@ point it to `./php/`. This will be used to serve PHP scripts for the example cli
 Configure *Xdebug* in *php.ini*:
 
     xdebug.remote_enable=1
+    xdebug.idekey=secret-key
     xdebug.remote_port=9000         // default
     xdebug.remote_host=localhost    // default
     xdebug.remote_autostart=0       // default
 
 Launch debug proxy server:
 
-    node ./example/server --port 9080 --php lib-phpdebug.localhost
+    node ./example/server --port 9080 --php lib-phpdebug.localhost --idekey secret-key
 
 Test
 ----
 
 The following will run a bunch of tests to cover all supported use-cases:
 
-    node ./test/all --port 9080 --php lib-phpdebug.localhost --skip-browser-tests
+    node ./test/all --port 9080 --php lib-phpdebug.localhost --skip-browser-tests --idekey secret-key
 
 TIP: If the example client is open at `http://localhost:9080/` it will show the progress of
 the tests if the `--skip-browser-tests` argument is omitted.

example/server.js

@@ -74,7 +74,8 @@ var proxyServer = null,
 CLI.parse({
     port:  [false, 'Listen on this port', 'number', PROXY_PORT],
     php: [false, 'Hostname for `../php/`', 'string', PHP_VHOST],
-	test: [false, 'Test mode. Must be pinged to stay alive!']
+	test: [false, 'Test mode. Must be pinged to stay alive!'],
+    idekey: [false, 'Secret IDE key (xdebug.idekey)', 'string', null]
 });
 
 CLI.main(function(args, options)
@@ -152,7 +153,15 @@ function startServer(options)
             NET: NET,
             XML2JS: XML2JS
         },
-        xdebugPort: XDEBUG_PORT
+        xdebugPort: XDEBUG_PORT,
+        // Authorized IDE keys (only validated if set on both sides)
+        idekeys: [
+            options.idekey
+        ],
+        // Authorized xdebug engines
+        ips: [
+            "127.0.0.1"
+        ]
     }));
 
     proxyServer.hook({

lib/xdebug.js

@@ -473,6 +473,62 @@ console.log('status', packet);
             else
             if (self.status === "init")
             {
+            	// Authorize connecting debugger engine by IP if applicable
+            	if (self.options.ips && self.options.ips.length > 0)
+            	{
+					var found = self.options.ips.indexOf(self.socket.remoteAddress);
+					if (found === -1)
+					{
+						console.log("Error: IDEKEY mismatch!", self.socket.remoteAddress, self.options.ips);
+						return;
+					}
+            	}
+            	
+				// Fix the init packet. This is needed due to a bug in Xdebug. Fixing it in Xdebug
+				// at this stage may break a lot of clients using the DBGP protocol.
+				// 1) When debugging CLI scripts and environment variables are set to:
+				//        export XDEBUG_CONFIG="idekey=SESSION"
+				//        export XDEBUG_CONFIG="idekey=,session=SESSION"
+				//        export XDEBUG_CONFIG="idekey=IDEKEY,session=SESSION"
+				//    the `packet["@"].idekey` property is set to (respectively):
+				//        `packet["@"].idekey == "SESSION"`
+				//        `packet["@"].idekey == ",session=SESSION"`
+				//        `packet["@"].idekey == "IDEKEY,session=SESSION"`
+				// 2) If debugging a MOD_APACHE script and cookies are set to:
+				//        `XDEBUG_SESSION_START=SESSION`
+				//    the `packet["@"].idekey` property is set to:
+				//        `packet["@"].idekey == "SESSION"`
+				//	  and the `xdebug.idekey` php.ini config option is ignored.
+            	// Because we do not always get an `idekey` we need to restrict debug engines
+            	// from connecting by IP whitelist and/or use a hash for the session ID.
+
+				var idekey = packet["@"].idekey.split(",");
+				packet["@"].idekey = undefined;
+				if (idekey.length === 1) {
+					packet["@"].session = idekey[0];
+				} else {
+					if (idekey.length != 2)
+						throw new Error("`idekey` property in init packet does not have correct format (1)!");
+					if (idekey[0]) {
+						packet["@"].idekey = idekey[0];
+					}
+					var session = idekey[1].split("=");
+					if (session.length != 2 || session[0] !== "session")
+						throw new Error("`idekey` property in init packet does not have correct format (2)!");
+					packet["@"].session = session[1];
+				}
+
+				// If `idekey` is set we authorize it
+				if (packet["@"].idekey && self.options.idekeys && self.options.idekeys.length > 0)
+				{
+					var found = self.options.idekeys.indexOf(packet["@"].idekey);
+					if (found === -1)
+					{
+						console.log("Error: IDEKEY mismatch!", packet["@"].idekey, self.options.idekeys);
+						return;
+					}
+				}
+
                 // 5.2 Connection Initialization
                 // @see http://www.xdebug.org/docs-dbgp.php#id18
                 self.id = "session-" + (++sessionCounter);

test/_helper.js

@@ -125,8 +125,9 @@ exports.getXdebugClientOptions = function()
 exports.debugScript = function(name, sessionName)
 {
 	EXEC([
-	    'export XDEBUG_CONFIG="idekey=' + sessionName + '"',
-	    ";",
+	    // export XDEBUG_CONFIG="idekey=,session=SESSION"
+	    // export XDEBUG_CONFIG="idekey=IDEKEY,session=SESSION"
+	    'export XDEBUG_CONFIG="' + 'idekey=' + ((serverInfo.idekey)?serverInfo.idekey:'') + ',session=' + sessionName + '";',
 	    "php " + PATH.dirname(PATH.dirname(module.id)) + "/php/scripts/" + name + ".php"
     ].join(" "), function (error, stdout, stderr) {
 //		console.log("[debugScript][stdout] " + stdout);
@@ -141,7 +142,8 @@ exports.ready = function(callback)
     CLI.parse({
         port:  [false, 'Listen on this port', 'number', PROXY_PORT],
         php: [false, 'Hostname for `../php/`', 'string', PHP_VHOST],
-        'skip-browser-tests': [false, 'Skip browser tests?', 'boolean', false]
+        'skip-browser-tests': [false, 'Skip browser tests?', 'boolean', false],
+        'idekey': [false, 'Secret IDE key (xdebug.idekey)', 'string', null]
     });
 
     CLI.main(function(args, options)
@@ -212,7 +214,7 @@ function startServer()
 
     ourServer = true;
 
-    var command = "node " +  PATH.normalize(__dirname + "/../example/server --test --port " + serverInfo.port + " --php " + serverInfo.php);
+    var command = "node " +  PATH.normalize(__dirname + "/../example/server --test --idekey " + serverInfo.idekey + " --port " + serverInfo.port + " --php " + serverInfo.php);
 
     console.log("Starting proxy server: " + command);