Chris@17
|
1 <?php
|
Chris@17
|
2
|
Chris@17
|
3 /*
|
Chris@17
|
4 * This file is part of the Symfony package.
|
Chris@17
|
5 *
|
Chris@17
|
6 * (c) Fabien Potencier <fabien@symfony.com>
|
Chris@17
|
7 *
|
Chris@17
|
8 * For the full copyright and license information, please view the LICENSE
|
Chris@17
|
9 * file that was distributed with this source code.
|
Chris@17
|
10 */
|
Chris@17
|
11
|
Chris@17
|
12 namespace Symfony\Component\HttpKernel\HttpCache;
|
Chris@17
|
13
|
Chris@17
|
14 use Symfony\Component\HttpFoundation\IpUtils;
|
Chris@17
|
15 use Symfony\Component\HttpFoundation\Request;
|
Chris@17
|
16 use Symfony\Component\HttpFoundation\Response;
|
Chris@17
|
17 use Symfony\Component\HttpKernel\HttpKernelInterface;
|
Chris@17
|
18
|
Chris@17
|
19 /**
|
Chris@17
|
20 * @author Nicolas Grekas <p@tchwork.com>
|
Chris@17
|
21 *
|
Chris@17
|
22 * @internal
|
Chris@17
|
23 */
|
Chris@17
|
24 class SubRequestHandler
|
Chris@17
|
25 {
|
Chris@17
|
26 /**
|
Chris@17
|
27 * @return Response
|
Chris@17
|
28 */
|
Chris@17
|
29 public static function handle(HttpKernelInterface $kernel, Request $request, $type, $catch)
|
Chris@17
|
30 {
|
Chris@17
|
31 // save global state related to trusted headers and proxies
|
Chris@17
|
32 $trustedProxies = Request::getTrustedProxies();
|
Chris@17
|
33 $trustedHeaderSet = Request::getTrustedHeaderSet();
|
Chris@17
|
34 if (\method_exists(Request::class, 'getTrustedHeaderName')) {
|
Chris@17
|
35 Request::setTrustedProxies($trustedProxies, -1);
|
Chris@17
|
36 $trustedHeaders = [
|
Chris@17
|
37 Request::HEADER_FORWARDED => Request::getTrustedHeaderName(Request::HEADER_FORWARDED, false),
|
Chris@17
|
38 Request::HEADER_X_FORWARDED_FOR => Request::getTrustedHeaderName(Request::HEADER_X_FORWARDED_FOR, false),
|
Chris@17
|
39 Request::HEADER_X_FORWARDED_HOST => Request::getTrustedHeaderName(Request::HEADER_X_FORWARDED_HOST, false),
|
Chris@17
|
40 Request::HEADER_X_FORWARDED_PROTO => Request::getTrustedHeaderName(Request::HEADER_X_FORWARDED_PROTO, false),
|
Chris@17
|
41 Request::HEADER_X_FORWARDED_PORT => Request::getTrustedHeaderName(Request::HEADER_X_FORWARDED_PORT, false),
|
Chris@17
|
42 ];
|
Chris@17
|
43 Request::setTrustedProxies($trustedProxies, $trustedHeaderSet);
|
Chris@17
|
44 } else {
|
Chris@17
|
45 $trustedHeaders = [
|
Chris@17
|
46 Request::HEADER_FORWARDED => 'FORWARDED',
|
Chris@17
|
47 Request::HEADER_X_FORWARDED_FOR => 'X_FORWARDED_FOR',
|
Chris@17
|
48 Request::HEADER_X_FORWARDED_HOST => 'X_FORWARDED_HOST',
|
Chris@17
|
49 Request::HEADER_X_FORWARDED_PROTO => 'X_FORWARDED_PROTO',
|
Chris@17
|
50 Request::HEADER_X_FORWARDED_PORT => 'X_FORWARDED_PORT',
|
Chris@17
|
51 ];
|
Chris@17
|
52 }
|
Chris@17
|
53
|
Chris@17
|
54 // remove untrusted values
|
Chris@17
|
55 $remoteAddr = $request->server->get('REMOTE_ADDR');
|
Chris@17
|
56 if (!IpUtils::checkIp($remoteAddr, $trustedProxies)) {
|
Chris@17
|
57 foreach ($trustedHeaders as $key => $name) {
|
Chris@17
|
58 if ($trustedHeaderSet & $key) {
|
Chris@17
|
59 $request->headers->remove($name);
|
Chris@17
|
60 $request->server->remove('HTTP_'.strtoupper(str_replace('-', '_', $name)));
|
Chris@17
|
61 }
|
Chris@17
|
62 }
|
Chris@17
|
63 }
|
Chris@17
|
64
|
Chris@17
|
65 // compute trusted values, taking any trusted proxies into account
|
Chris@17
|
66 $trustedIps = [];
|
Chris@17
|
67 $trustedValues = [];
|
Chris@17
|
68 foreach (array_reverse($request->getClientIps()) as $ip) {
|
Chris@17
|
69 $trustedIps[] = $ip;
|
Chris@17
|
70 $trustedValues[] = sprintf('for="%s"', $ip);
|
Chris@17
|
71 }
|
Chris@17
|
72 if ($ip !== $remoteAddr) {
|
Chris@17
|
73 $trustedIps[] = $remoteAddr;
|
Chris@17
|
74 $trustedValues[] = sprintf('for="%s"', $remoteAddr);
|
Chris@17
|
75 }
|
Chris@17
|
76
|
Chris@17
|
77 // set trusted values, reusing as much as possible the global trusted settings
|
Chris@17
|
78 if (Request::HEADER_FORWARDED & $trustedHeaderSet) {
|
Chris@17
|
79 $trustedValues[0] .= sprintf(';host="%s";proto=%s', $request->getHttpHost(), $request->getScheme());
|
Chris@17
|
80 $request->headers->set($name = $trustedHeaders[Request::HEADER_FORWARDED], $v = implode(', ', $trustedValues));
|
Chris@17
|
81 $request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);
|
Chris@17
|
82 }
|
Chris@17
|
83 if (Request::HEADER_X_FORWARDED_FOR & $trustedHeaderSet) {
|
Chris@17
|
84 $request->headers->set($name = $trustedHeaders[Request::HEADER_X_FORWARDED_FOR], $v = implode(', ', $trustedIps));
|
Chris@17
|
85 $request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);
|
Chris@17
|
86 } elseif (!(Request::HEADER_FORWARDED & $trustedHeaderSet)) {
|
Chris@17
|
87 Request::setTrustedProxies($trustedProxies, $trustedHeaderSet | Request::HEADER_X_FORWARDED_FOR);
|
Chris@17
|
88 $request->headers->set($name = $trustedHeaders[Request::HEADER_X_FORWARDED_FOR], $v = implode(', ', $trustedIps));
|
Chris@17
|
89 $request->server->set('HTTP_'.strtoupper(str_replace('-', '_', $name)), $v);
|
Chris@17
|
90 }
|
Chris@17
|
91
|
Chris@17
|
92 // fix the client IP address by setting it to 127.0.0.1,
|
Chris@17
|
93 // which is the core responsibility of this method
|
Chris@17
|
94 $request->server->set('REMOTE_ADDR', '127.0.0.1');
|
Chris@17
|
95
|
Chris@17
|
96 // ensure 127.0.0.1 is set as trusted proxy
|
Chris@17
|
97 if (!IpUtils::checkIp('127.0.0.1', $trustedProxies)) {
|
Chris@17
|
98 Request::setTrustedProxies(array_merge($trustedProxies, ['127.0.0.1']), Request::getTrustedHeaderSet());
|
Chris@17
|
99 }
|
Chris@17
|
100
|
Chris@17
|
101 try {
|
Chris@17
|
102 return $kernel->handle($request, $type, $catch);
|
Chris@17
|
103 } finally {
|
Chris@17
|
104 // restore global state
|
Chris@17
|
105 Request::setTrustedProxies($trustedProxies, $trustedHeaderSet);
|
Chris@17
|
106 }
|
Chris@17
|
107 }
|
Chris@17
|
108 }
|