[HttpFoundation] Fix Request::getHost() when having several hosts in X_FORWARDED_HOST

nicolas-grekas · nicolas-grekas · commit 9a2b2de64fff · 2017-03-03T11:02:41.000+01:00
diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
@@ -962,7 +962,7 @@ public function getPort()
     {
         if ($this->isFromTrustedProxy()) {
             if (self::$trustedHeaders[self::HEADER_CLIENT_PORT] && $port = $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_PORT])) {
-                return $port;
+                return (int) $port;
             }
 
             if (self::$trustedHeaders[self::HEADER_CLIENT_PROTO] && 'https' === $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_PROTO], 'http')) {
@@ -1211,9 +1211,9 @@ public function isSecure()
     public function getHost()
     {
         if ($this->isFromTrustedProxy() && self::$trustedHeaders[self::HEADER_CLIENT_HOST] && $host = $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_HOST])) {
-            $elements = explode(',', $host);
+            $elements = explode(',', $host, 2);
 
-            $host = $elements[count($elements) - 1];
+            $host = $elements[0];
         } elseif (!$host = $this->headers->get('HOST')) {
             if (!$host = $this->server->get('SERVER_NAME')) {
                 $host = $this->server->get('SERVER_ADDR', '');
diff --git a/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php b/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
@@ -1631,7 +1631,7 @@ public function testTrustedProxies()
         $request = Request::create('http://example.com/');
         $request->server->set('REMOTE_ADDR', '3.3.3.3');
         $request->headers->set('X_FORWARDED_FOR', '1.1.1.1, 2.2.2.2');
-        $request->headers->set('X_FORWARDED_HOST', 'foo.example.com, real.example.com:8080');
+        $request->headers->set('X_FORWARDED_HOST', 'foo.example.com:1234, real.example.com:8080');
         $request->headers->set('X_FORWARDED_PROTO', 'https');
         $request->headers->set('X_FORWARDED_PORT', 443);
         $request->headers->set('X_MY_FOR', '3.3.3.3, 4.4.4.4');
@@ -1662,7 +1662,7 @@ public function testTrustedProxies()
         // trusted proxy via setTrustedProxies()
         Request::setTrustedProxies(array('3.3.3.3', '2.2.2.2'));
         $this->assertEquals('1.1.1.1', $request->getClientIp());
-        $this->assertEquals('real.example.com', $request->getHost());
+        $this->assertEquals('foo.example.com', $request->getHost());
         $this->assertEquals(443, $request->getPort());
         $this->assertTrue($request->isSecure());
 

Original file line number	Diff line number	Diff line change
`@@ -962,7 +962,7 @@ public function getPort()`
`962`	`962`	`{`
`963`	`963`	`if ($this->isFromTrustedProxy()) {`
`964`	`964`	`if (self::$trustedHeaders[self::HEADER_CLIENT_PORT] && $port = $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_PORT])) {`
`965`		`- return $port;`
	`965`	`+ return (int) $port;`
`966`	`966`	`}`
`967`	`967`
`968`	`968`	`if (self::$trustedHeaders[self::HEADER_CLIENT_PROTO] && 'https' === $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_PROTO], 'http')) {`
`@@ -1211,9 +1211,9 @@ public function isSecure()`
`1211`	`1211`	`public function getHost()`
`1212`	`1212`	`{`
`1213`	`1213`	`if ($this->isFromTrustedProxy() && self::$trustedHeaders[self::HEADER_CLIENT_HOST] && $host = $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_HOST])) {`
`1214`		`- $elements = explode(',', $host);`
	`1214`	`+ $elements = explode(',', $host, 2);`
`1215`	`1215`
`1216`		`- $host = $elements[count($elements) - 1];`
	`1216`	`+ $host = $elements[0];`
`1217`	`1217`	`} elseif (!$host = $this->headers->get('HOST')) {`
`1218`	`1218`	`if (!$host = $this->server->get('SERVER_NAME')) {`
`1219`	`1219`	`$host = $this->server->get('SERVER_ADDR', '');`