helmer
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
Lines changed: 7 additions & 0 deletions b/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/FrameworkBundle.php
Lines changed: 4 additions & 0 deletions b/‎src/Symfony/Bundle/FrameworkBundle/FrameworkBundle.php
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Component/HttpFoundation/Request.php
Lines changed: 54 additions & 0 deletions b/‎src/Symfony/Component/HttpFoundation/Request.php
Lines changed: 54 additions & 0 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
Lines changed: 31 additions & 0 deletions b/‎src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
Lines changed: 31 additions & 0 deletions
@@ -68,6 +68,13 @@ public function getConfigTreeBuilder()
                 ->scalarNode('ide')->defaultNull()->end()
                 ->booleanNode('test')->end()
                 ->scalarNode('default_locale')->defaultValue('en')->end()
+                ->arrayNode('trusted_hosts')
+                    ->beforeNormalization()
+                        ->ifTrue(function($v) { return is_string($v); })
+                        ->then(function($v) { return array($v); })
+                    ->end()
+                    ->prototype('scalar')->end()
+                ->end()
             ->end()
         ;
 
 
@@ -69,7 +69,7 @@ public function load(array $configs, ContainerBuilder $container)
         }
 
         $container->setParameter('kernel.http_method_override', $config['http_method_override']);
-
+        $container->setParameter('kernel.trusted_hosts', $config['trusted_hosts']);
         $container->setParameter('kernel.trusted_proxies', $config['trusted_proxies']);
         $container->setParameter('kernel.default_locale', $config['default_locale']);
 
 
@@ -49,6 +49,10 @@ public function boot()
         if ($this->container->getParameter('kernel.http_method_override')) {
             Request::enableHttpMethodParameterOverride();
         }
+
+        if ($trustedHosts = $this->container->getParameter('kernel.trusted_hosts')) {
+            Request::setTrustedHosts($trustedHosts);
+        }
     }
 
     public function build(ContainerBuilder $container)
 
@@ -22,7 +22,7 @@ public function testDefaultConfig()
         $config = $processor->processConfiguration(new Configuration(), array(array('secret' => 's3cr3t')));
 
         $this->assertEquals(
-            array_merge(array('secret' => 's3cr3t'), self::getBundleDefaultConfig()),
+            array_merge(array('secret' => 's3cr3t', 'trusted_hosts' => array()), self::getBundleDefaultConfig()),
             $config
         );
     }
 
@@ -37,6 +37,16 @@ class Request
 
     protected static $trustedProxies = array();
 
+    /**
+     * @var string[]
+     */
+    protected static $trustedHostPatterns = array();
+
+    /**
+     * @var string[]
+     */
+    protected static $trustedHosts = array();
+
     /**
      * Names for headers that can be trusted when
      * using trusted proxies.
@@ -493,6 +503,32 @@ public static function getTrustedProxies()
         return self::$trustedProxies;
     }
 
+    /**
+     * Sets a list of trusted host patterns.
+     *
+     * You should only list the hosts you manage using regexs.
+     *
+     * @param array $hostPatterns A list of trusted host patterns
+     */
+    public static function setTrustedHosts(array $hostPatterns)
+    {
+        self::$trustedHostPatterns = array_map(function ($hostPattern) {
+            return sprintf('{%s}i', str_replace('}', '\\}', $hostPattern));
+        }, $hostPatterns);
+        // we need to reset trusted hosts on trusted host patterns change
+        self::$trustedHosts = array();
+    }
+
+    /**
+     * Gets the list of trusted host patterns.
+     *
+     * @return array An array of trusted host patterns.
+     */
+    public static function getTrustedHosts()
+    {
+        return self::$trustedHostPatterns;
+    }
+
     /**
      * Sets the name for trusted headers.
      *
@@ -1075,6 +1111,24 @@ public function getHost()
             throw new \UnexpectedValueException('Invalid Host');
         }
 
+        if (count(self::$trustedHostPatterns) > 0) {
+            // to avoid host header injection attacks, you should provide a list of trusted host patterns
+
+            if (in_array($host, self::$trustedHosts)) {
+                return $host;
+            }
+
+            foreach (self::$trustedHostPatterns as $pattern) {
+                if (preg_match($pattern, $host)) {
+                    self::$trustedHosts[] = $host;
+
+                    return $host;
+                }
+            }
+
+            throw new \UnexpectedValueException('Untrusted Host');
+        }
+
         return $host;
     }
 
 
@@ -1517,6 +1517,37 @@ public function iisRequestUriProvider()
             )
         );
     }
+
+    public function testTrustedHosts()
+    {
+        // create a request
+        $request = Request::create('/');
+
+        // no trusted host set -> no host check
+        $request->headers->set('host', 'evil.com');
+        $this->assertEquals('evil.com', $request->getHost());
+
+        // add a trusted domain and all its subdomains
+        Request::setTrustedHosts(array('.*\.?trusted.com$'));
+
+        // untrusted host
+        $request->headers->set('host', 'evil.com');
+        try {
+            $request->getHost();
+            $this->fail('Request::getHost() should throw an exception when host is not trusted.');
+        } catch (\UnexpectedValueException $e) {
+            $this->assertEquals('Untrusted Host', $e->getMessage());
+        }
+
+        // trusted hosts
+        $request->headers->set('host', 'trusted.com');
+        $this->assertEquals('trusted.com', $request->getHost());
+        $request->headers->set('host', 'subdomain.trusted.com');
+        $this->assertEquals('subdomain.trusted.com', $request->getHost());
+
+        // reset request for following tests
+        Request::setTrustedHosts(array());
+    }
 }
 
 class RequestContentProxy extends Request
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ public function load(array $configs, ContainerBuilder $container)`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`$container->setParameter('kernel.http_method_override', $config['http_method_override']);`
`72`		`-`
	`72`	`+ $container->setParameter('kernel.trusted_hosts', $config['trusted_hosts']);`
`73`	`73`	`$container->setParameter('kernel.trusted_proxies', $config['trusted_proxies']);`
`74`	`74`	`$container->setParameter('kernel.default_locale', $config['default_locale']);`
`75`	`75`
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,10 @@ public function boot()`
`49`	`49`	`if ($this->container->getParameter('kernel.http_method_override')) {`
`50`	`50`	`Request::enableHttpMethodParameterOverride();`
`51`	`51`	`}`
	`52`	`+`
	`53`	`+ if ($trustedHosts = $this->container->getParameter('kernel.trusted_hosts')) {`
	`54`	`+ Request::setTrustedHosts($trustedHosts);`
	`55`	`+ }`
`52`	`56`	`}`
`53`	`57`
`54`	`58`	`public function build(ContainerBuilder $container)`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ public function testDefaultConfig()`
`22`	`22`	`$config = $processor->processConfiguration(new Configuration(), array(array('secret' => 's3cr3t')));`
`23`	`23`
`24`	`24`	`$this->assertEquals(`
`25`		`- array_merge(array('secret' => 's3cr3t'), self::getBundleDefaultConfig()),`
	`25`	`+ array_merge(array('secret' => 's3cr3t', 'trusted_hosts' => array()), self::getBundleDefaultConfig()),`
`26`	`26`	`$config`
`27`	`27`	`);`
`28`	`28`	`}`