Skip to content

Implemented RFC 7239 - "Forwarded HTTP Extension" #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dg merged 8 commits into from
Jun 17, 2016
Merged

Implemented RFC 7239 - "Forwarded HTTP Extension" #94

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ec85d5d
Implemented RFC 7239 - " Forwarded HTTP Extension" handling in Reques…
patrickkusebauch May 21, 2016
61e9275
Implemented RFC 7239 - " Forwarded HTTP Extension" handling in Reques…
patrickkusebauch May 21, 2016
a6e205c
Deleted echo statement
patrickkusebauch May 21, 2016
44660bd
case- insensitive handling of tokens
patrickkusebauch May 22, 2016
11461e6
Proper handle of quoted strings.
patrickkusebauch May 22, 2016
17d3397
Tests refactoring:
patrickkusebauch May 22, 2016
a2c7a79
Code simplifications
patrickkusebauch May 22, 2016
2383979
Fixed coding standards for tests
patrickkusebauch May 22, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 53 additions & 19 deletions src/Http/RequestFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,30 +194,64 @@ public function createHttpRequest()
$usingTrustedProxy = $remoteAddr && array_filter($this->proxies, function ($proxy) use ($remoteAddr) {
return Helpers::ipMatch($remoteAddr, $proxy);
});

if ($usingTrustedProxy) {
if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
$url->setScheme(strcasecmp($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') === 0 ? 'https' : 'http');
}
if(!empty($_SERVER['HTTP_FORWARDED'])) {
$forwardParams = preg_split('/[,]|[;]/', $_SERVER['HTTP_FORWARDED']);
Copy link
Copy Markdown
Contributor

@Majkl578 Majkl578 May 22, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semicolin is used as a forward-pair delimiter whereas comma is used as a field separator. I'm afraid current implementation won't be able to distinguish it...

Copy link
Copy Markdown
Contributor Author

@patrickkusebauch patrickkusebauch May 22, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not. However it should not be a problem, as I believe there is no need for the distinction.
These two headers would produce the same result array:
for=192.0.2.43, for=198.51.100.17
for=192.0.2.43; for=198.51.100.17

I just need to split the "key-value" pairs and put them in the proper sub-array.

Copy link
Copy Markdown
Contributor

@JanTvrdik JanTvrdik May 22, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be simplified to preg_split('#[,;]#')

Copy link
Copy Markdown
Contributor Author

@patrickkusebauch patrickkusebauch May 22, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Integrated in commit a2c7a79

foreach ($forwardParams as $forwardParam) {
$param = explode("=", $forwardParam);
$proxyParams[strtolower(trim($param[0]))][] = trim($param[1], "\"\t\n\r\0\x0B"); //e.g. array['for'][0] = 192.168.0.1
}
Copy link
Copy Markdown
Contributor

@JanTvrdik JanTvrdik May 22, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be simplified to

foreach ($forwardParams as $forwardParam) {
    list($key, $value) = explode('=', $forwardParam, 2) + [1 => NULL];
    $proxyParams[strtolower(trim($key))] = trim($value, " \t\"");
}

Copy link
Copy Markdown
Contributor Author

@patrickkusebauch patrickkusebauch May 22, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Integrated in commit a2c7a79


if (!empty($_SERVER['HTTP_X_FORWARDED_PORT'])) {
$url->setPort((int) $_SERVER['HTTP_X_FORWARDED_PORT']);
}
if(isset($proxyParams['for'])) {
$address = $proxyParams['for'][0];
if(strpos($address, '[') === FALSE) { //IPv4
$remoteAddr = explode(':', $address)[0];
} else { //IPv6
$remoteAddr = substr($address, 1, strpos($address, ']')-1);
}
}

if(isset($proxyParams['host']) && count($proxyParams['host']) === 1) {
$host = $proxyParams['host'][0];
$startingDelimiterPosition = strpos($host, '[');
if($startingDelimiterPosition === FALSE) { //IPv4
$remoteHostArr = explode(':', $host);
$remoteHost = $remoteHostArr[0];
if(isset($remoteHostArr[1])) $url->setPort((int) $remoteHostArr[1]);
} else { //IPv6
$endingDelimiterPosition = strpos($host, ']');
$remoteHost = substr($host, strpos($host, '[')+1, $endingDelimiterPosition-1);
$remoteHostArr = explode(':', substr($host, $endingDelimiterPosition));
if(isset($remoteHostArr[1])) $url->setPort((int) $remoteHostArr[1]);
}
}

$scheme = (isset($proxyParams['scheme']) && count($proxyParams['scheme']) === 1) ? $proxyParams['scheme'][0] : 'http';
$url->setScheme(strcasecmp($scheme, 'https') === 0 ? 'https' : 'http');
} else {
if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
$url->setScheme(strcasecmp($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') === 0 ? 'https' : 'http');
}

if (!empty($_SERVER['HTTP_X_FORWARDED_PORT'])) {
$url->setPort((int) $_SERVER['HTTP_X_FORWARDED_PORT']);
}

if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$xForwardedForWithoutProxies = array_filter(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']), function ($ip) {
return !array_filter($this->proxies, function ($proxy) use ($ip) {
return Helpers::ipMatch(trim($ip), $proxy);
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$xForwardedForWithoutProxies = array_filter(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']), function ($ip) {
return !array_filter($this->proxies, function ($proxy) use ($ip) {
return Helpers::ipMatch(trim($ip), $proxy);
});
});
});
$remoteAddr = trim(end($xForwardedForWithoutProxies));
$xForwardedForRealIpKey = key($xForwardedForWithoutProxies);
}
$remoteAddr = trim(end($xForwardedForWithoutProxies));
$xForwardedForRealIpKey = key($xForwardedForWithoutProxies);
}

if (isset($xForwardedForRealIpKey) && !empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$xForwardedHost = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']);
if (isset($xForwardedHost[$xForwardedForRealIpKey])) {
$remoteHost = trim($xForwardedHost[$xForwardedForRealIpKey]);
if (isset($xForwardedForRealIpKey) && !empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$xForwardedHost = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']);
if (isset($xForwardedHost[$xForwardedForRealIpKey])) {
$remoteHost = trim($xForwardedHost[$xForwardedForRealIpKey]);
}
}
}
}
Expand Down
96 changes: 96 additions & 0 deletions tests/Http/RequestFactory.proxy.forwarded.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
<?php

/**
* Test: Nette\Http\RequestFactory and proxy with "Forwarded" header.
*/

use Nette\Http\RequestFactory;
use Tester\Assert;


require __DIR__ . '/../bootstrap.php';

test(function () {
$_SERVER = [
'REMOTE_ADDR' => '127.0.0.3',
'REMOTE_HOST' => 'localhost',
'HTTP_FORWARDED' => 'for=23.75.45.200;host=192.168.0.1',
];

$factory = new RequestFactory;
$factory->setProxy('127.0.0.1');
Assert::same('127.0.0.3', $factory->createHttpRequest()->getRemoteAddress());
Assert::same('localhost', $factory->createHttpRequest()->getRemoteHost());

$factory->setProxy('127.0.0.1/8');
Assert::same('23.75.45.200', $factory->createHttpRequest()->getRemoteAddress());
Assert::same('192.168.0.1', $factory->createHttpRequest()->getRemoteHost());

$url = $factory->createHttpRequest()->getUrl();
Assert::same('http', $url->getScheme());
});

test(function () {
$_SERVER = [
'REMOTE_ADDR' => '127.0.0.3',
'REMOTE_HOST' => 'localhost',
'HTTP_FORWARDED' => 'for=23.75.45.200:8080;host=192.168.0.1:8080',
];

$factory = new RequestFactory;

$factory->setProxy('127.0.0.3');
Assert::same('23.75.45.200', $factory->createHttpRequest()->getRemoteAddress());
Assert::same('192.168.0.1', $factory->createHttpRequest()->getRemoteHost());

$url = $factory->createHttpRequest()->getUrl();
Assert::same(8080, $url->getPort());
});


test(function () {
$_SERVER = [
'REMOTE_ADDR' => '127.0.0.3',
'REMOTE_HOST' => 'localhost',
'HTTP_FORWARDED' => 'for="[2001:db8:cafe::17]";host="[2001:db8:cafe::18]"',
];

$factory = new RequestFactory;

$factory->setProxy('127.0.0.3');
Assert::same('2001:db8:cafe::17', $factory->createHttpRequest()->getRemoteAddress());
Assert::same('2001:db8:cafe::18', $factory->createHttpRequest()->getRemoteHost());
});

test(function () {
$_SERVER = [
'REMOTE_ADDR' => '127.0.0.3',
'REMOTE_HOST' => 'localhost',
'HTTP_FORWARDED' => 'for="[2001:db8:cafe::17]:47831";host="[2001:db8:cafe::18]:47832"',
];

$factory = new RequestFactory;

$factory->setProxy('127.0.0.3');
Assert::same('2001:db8:cafe::17', $factory->createHttpRequest()->getRemoteAddress());
Assert::same('2001:db8:cafe::18', $factory->createHttpRequest()->getRemoteHost());

$url = $factory->createHttpRequest()->getUrl();
Assert::same(47832, $url->getPort());
});


test(function () {
$_SERVER = [
'REMOTE_ADDR' => '127.0.0.3',
'REMOTE_HOST' => 'localhost',
'HTTP_FORWARDED' => 'for="[2001:db8:cafe::17]:47831" ; host="[2001:db8:cafe::18]:47832" ; scheme=https',
];

$factory = new RequestFactory;
$factory->setProxy('127.0.0.3');

$url = $factory->createHttpRequest()->getUrl();
Assert::same('https', $url->getScheme());
});

4 changes: 2 additions & 2 deletions tests/Http/RequestFactory.proxy.phpt → ...ttp/RequestFactory.proxy.x-forwarded.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<?php

/**
* Test: Nette\Http\RequestFactory and proxy.
* Test: Nette\Http\RequestFactory and proxy with "X-forwarded" headers.
*/

use Nette\Http\RequestFactory;
Expand Down Expand Up @@ -45,4 +45,4 @@ test(function () {
$factory->setProxy(['10.0.0.1', '10.0.0.2']);
Assert::same('172.16.0.1', $factory->createHttpRequest()->getRemoteAddress());
Assert::same('real', $factory->createHttpRequest()->getRemoteHost());
});
});