symfony
diff --git a/‎UPGRADE-3.3.md
Lines changed: 7 additions & 0 deletions b/‎UPGRADE-3.3.md
Lines changed: 7 additions & 0 deletions
diff --git a/‎UPGRADE-4.0.md
Lines changed: 7 additions & 0 deletions b/‎UPGRADE-4.0.md
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/CHANGELOG.md
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Component/HttpFoundation/CHANGELOG.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/Request.php
Lines changed: 40 additions & 2 deletions b/‎src/Symfony/Component/HttpFoundation/Request.php
Lines changed: 40 additions & 2 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
Lines changed: 84 additions & 29 deletions b/‎src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
Lines changed: 84 additions & 29 deletions
@@ -166,6 +166,13 @@ FrameworkBundle
    class has been deprecated and will be removed in 4.0. Use the 
    `Symfony\Component\Routing\DependencyInjection\RoutingResolverPass` class instead.
 
+HttpFoundation
+--------------
+
+ * The `Request::setTrustedProxies()` method takes a new `$trustedHeader` argument - not setting it is deprecated.
+   Set it to `Request::HEADER_FORWARDED` if your reverse-proxy uses the RFC7239 `Forwarded` header,
+   or to `Request::HEADER_CLIENT_IP` if it is using `X-Forwarded-For`.
+
 HttpKernel
 -----------
 
 
@@ -274,6 +274,13 @@ FrameworkBundle
 HttpFoundation
 ---------------
 
+HttpFoundation
+--------------
+
+ * The `Request::setTrustedProxies()` method takes a new `$trustedHeader` mandatory argument.
+   Set it to `Request::HEADER_FORWARDED` if your reverse-proxy uses the RFC7239 `Forwarded` header,
+   or to `Request::HEADER_CLIENT_IP` if it is using `X-Forwarded-For` or similar.
+
  * Extending the following methods of `Response`
    is no longer possible (these methods are now `final`):
 
 
@@ -4,6 +4,7 @@ CHANGELOG
 3.3.0
 -----
 
+ * added `$trustedHeader` argument to `Request::setTrustedProxies()` - deprecate not setting it,
  * added `File\Stream`, to be passed to `BinaryFileResponse` when the size of the served file is unknown,
    disabling `Range` and `Content-Length` handling, switching to chunked encoding instead
  * added the `Cookie::fromString()` method that allows to create a cookie from a
 
@@ -210,6 +210,14 @@ class Request
     private $isHostValid = true;
     private $isClientIpsValid = true;
 
+    private static $trustedHeaderNames = array(
+        self::HEADER_FORWARDED => 'FORWARDED',
+        self::HEADER_CLIENT_IP => 'X_FORWARDED_FOR',
+        self::HEADER_CLIENT_HOST => 'X_FORWARDED_HOST',
+        self::HEADER_CLIENT_PROTO => 'X_FORWARDED_PROTO',
+        self::HEADER_CLIENT_PORT => 'X_FORWARDED_PORT',
+    );
+
     /**
      * Constructor.
      *
@@ -548,11 +556,37 @@ public function overrideGlobals()
      *
      * You should only list the reverse proxies that you manage directly.
      *
-     * @param array $proxies A list of trusted proxies
+     * @param array  $proxies       A list of trusted proxies
+     * @param string $trustedHeader Either Request::HEADER_FORWARDED or Request::HEADER_CLIENT_IP to set which header to trust from your proxies
+     *
+     * @throws \InvalidArgumentException When $trustedHeader is invalid
      */
-    public static function setTrustedProxies(array $proxies)
+    public static function setTrustedProxies(array $proxies/*, string $trustedHeader*/)
     {
         self::$trustedProxies = $proxies;
+
+        if (2 > func_num_args()) {
+            @trigger_error(sprintf('The %s() method expects Request::HEADER_FORWARDED or Request::HEADER_CLIENT_IP as second argument. Not passing it is deprecated since version 3.3 and will be required in 4.0.', __METHOD__), E_USER_DEPRECATED);
+
+            return;
+        }
+        $trustedHeader = func_get_arg(1);
+
+        if (self::HEADER_FORWARDED === $trustedHeader) {
+            self::$trustedHeaders[self::HEADER_FORWARDED] = self::$trustedHeaderNames[self::HEADER_FORWARDED];
+            self::$trustedHeaders[self::HEADER_CLIENT_IP] = null;
+            self::$trustedHeaders[self::HEADER_CLIENT_HOST] = null;
+            self::$trustedHeaders[self::HEADER_CLIENT_PORT] = null;
+            self::$trustedHeaders[self::HEADER_CLIENT_PROTO] = null;
+        } elseif (self::HEADER_CLIENT_IP === $trustedHeader) {
+            self::$trustedHeaders[self::HEADER_FORWARDED] = null;
+            self::$trustedHeaders[self::HEADER_CLIENT_IP] = self::$trustedHeaderNames[self::HEADER_CLIENT_IP];
+            self::$trustedHeaders[self::HEADER_CLIENT_HOST] = self::$trustedHeaderNames[self::HEADER_CLIENT_HOST];
+            self::$trustedHeaders[self::HEADER_CLIENT_PORT] = self::$trustedHeaderNames[self::HEADER_CLIENT_PORT];
+            self::$trustedHeaders[self::HEADER_CLIENT_PROTO] = self::$trustedHeaderNames[self::HEADER_CLIENT_PROTO];
+        } else {
+            throw new \InvalidArgumentException(sprintf('Invalid trusted header argument: Request::HEADER_FORWARDED or Request::HEADER_CLIENT_IP was expected, "%s" given.', $trustedHead
10000
er));
+        }
     }
 
     /**
@@ -616,6 +650,10 @@ public static function setTrustedHeaderName($key, $value)
         }
 
         self::$trustedHeaders[$key] = $value;
+
+        if (null !== $value) {
+            self::$trustedHeaderNames[$key] = $value;
+        }
     }
 
     /**
 
@@ -19,6 +19,17 @@
 
 class RequestTest extends TestCase
 {
+    protected function tearDown()
+    {
+        // reset
+        Request::setTrustedProxies(array(), Request::HEADER_CLIENT_IP);
+        Request::setTrustedHeaderName(Request::HEADER_FORWARDED, 'FORWARDED');
+        Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, 'X_FORWARDED_FOR');
+        Request::setTrustedHeaderName(Request::HEADER_CLIENT_HOST, 'X_FORWARDED_HOST');
+        Request::setTrustedHeaderName(Request::HEADER_CLIENT_PORT, 'X_FORWARDED_PORT');
+        Request::setTrustedHeaderName(Request::HEADER_CLIENT_PROTO, 'X_FORWARDED_PROTO');
+    }
+
     public function testInitialize()
     {
         $request = new Request();
@@ -727,7 +738,7 @@ public function testGetPort()
 
         $this->assertEquals(80, $port, 'Without trusted proxies FORWARDED_PROTO and FORWARDED_PORT are ignored.');
 
-        Request::setTrustedProxies(array('1.1.1.1'));
+        Request::setTrustedProxies(array('1.1.1.1'), Request::HEADER_CLIENT_IP);
         $request = Request::create('http://example.com', 'GET', array(), array(), array(), array(
             'HTTP_X_FORWARDED_PROTO' => 'https',
             'HTTP_X_FORWARDED_PORT' => '8443',
@@ -769,8 +780,6 @@ public function testGetPort()
         ));
         $port = $request->getPort();
         $this->assertEquals(80, $port, 'With only PROTO set and value is not recognized, getPort() defaults to 80.');
-
-        Request::setTrustedProxies(array());
     }
 
     /**
@@ -846,8 +855,6 @@ public function testGetClientIp($expected, $remoteAddr, $httpForwardedFor, $trus
         $request = $this->getRequestInstanceForClientIpTests($remoteAddr, $httpForwardedFor, $trustedProxies);
 
         $this->assertEquals($expected[0], $request->getClientIp());
-
-        Request::setTrustedProxies(array());
     }
 
     /**
@@ -858,8 +865,6 @@ public function testGetClientIps($expected, $remoteAddr, $httpForwardedFor, $tru
         $request = $this->getRequestInstanceForClientIpTests($remoteAddr, $httpForwardedFor, $trustedProxies);
 
         $this->assertEquals($expected, $request->getClientIps());
-
-        Request::setTrustedProxies(array());
     }
 
     /**
@@ -870,8 +875,6 @@ public function testGetClientIpsForwarded($expected, $remoteAddr, $httpForwarded
         $request = $this->getRequestInstanceForClientIpsForwardedTests($remoteAddr, $httpForwarded, $trustedProxies);
 
         $this->assertEquals($expected, $request->getClientIps());
-
-        Request::setTrustedProxies(array());
     }
 
     public function testGetClientIpsForwardedProvider()
@@ -956,7 +959,9 @@ public function testGetClientIpsWithConflictingHeaders($httpForwarded, $httpXFor
             'HTTP_X_FORWARDED_FOR' => $httpXForwardedFor,
         );
 
-        Request::setTrustedProxies(array('88.88.88.88'));
+        Request::setTrustedProxies(array('88.88.88.88'), Request::HEADER_CLIENT_IP);
+        Request::setTrustedHeaderName(Request::HEADER_FORWARDED, 'FORWARDED');
+        Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, 'X_FORWARDED_FOR');
 
         $request->initialize(array(), array(), array(), array(), array(), $server);
 
@@ -988,13 +993,11 @@ public function testGetClientIpsWithAgreeingHeaders($httpForwarded, $httpXForwar
             'HTTP_X_FORWARDED_FOR' => $httpXForwardedFor,
         );
 
-        Request::setTrustedProxies(array('88.88.88.88'));
+        Request::setTrustedProxies(array('88.88.88.88'), Request::HEADER_CLIENT_IP);
 
         $request->initialize(array(), array(), array(), array(), array(), $server);
 
         $request->getClientIps();
-
-        Request::setTrustedProxies(array());
     }
 
     public function testGetClientIpsWithAgreeingHeadersProvider()
@@ -1177,11 +1180,10 @@ public function testOverrideGlobals()
 
         $request->headers->set('X_FORWARDED_PROTO', 'https');
 
-        Request::setTrustedProxies(array('1.1.1.1'));
+        Request::setTrustedProxies(array('1.1.1.1'), Request::HEADER_CLIENT_IP);
         $this->assertFalse($request->isSecure());
         $request->server->set('REMOTE_ADDR', '1.1.1.1');
         $this->assertTrue($request->isSecure());
-        Request::setTrustedProxies(array());
 
         $request->overrideGlobals();
 
@@ -1644,7 +1646,7 @@ private function getRequestInstanceForClientIpTests($remoteAddr, $httpForwardedF
         }
 
         if ($trustedProxies) {
-            Request::setTrustedProxies($trustedProxies);
+            Request::setTrustedProxies($trustedProxies, Request::HEADER_CLIENT_IP);
         }
 
         $request->initialize(array(), array(), array(), array(), array(), $server);
@@ -1663,7 +1665,7 @@ private function getRequestInstanceForClientIpsForwardedTests($remoteAddr, $http
         }
 
         if ($trustedProxies) {
-            Request::setTrustedProxies($trustedProxies);
+            Request::setTrustedProxies($trustedProxies, Request::HEADER_FORWARDED);
         }
 
         $request->initialize(array(), array(), array(), array(), array(), $server);
@@ -1691,35 +1693,35 @@ public function testTrustedProxies()
         $this->assertFalse($request->isSecure());
 
         // disabling proxy trusting
-        Request::setTrustedProxies(array());
+        Request::setTrustedProxies(array(), Request::HEADER_CLIENT_IP);
         $this->assertEquals('3.3.3.3', $request->getClientIp());
         $this->assertEquals('example.com', $request->getHost());
         $this->assertEquals(80, $request->getPort());
         $this->assertFalse($request->isSecure());
 
         // request is forwarded by a non-trusted proxy
-        Request::setTrustedProxies(array('2.2.2.2'));
+        Request::setTrustedProxies(array('2.2.2.2'), Request::HEADER_CLIENT_IP);
         $this->assertEquals('3.3.3.3', $request->getClientIp());
         $this->assertEquals('example.com', $request->getHost());
         $this->assertEquals(80, $request->getPort());
         $this->assertFalse($request->isSecure());
 
         // trusted proxy via setTrustedProxies()
-        Request::setTrustedProxies(array('3.3.3.3', '2.2.2.2'));
+        Request::setTrustedProxies(array('3.3.3.3', '2.2.2.2'), Request::HEADER_CLIENT_IP);
         $this->assertEquals('1.1.1.1', $request->getClientIp());
         $this->assertEquals('real.example.com', $request->getHost());
         $this->assertEquals(443, $request->getPort());
         $this->assertTrue($request->isSecure());
 
         // trusted proxy via setTrustedProxies()
-        Request::setTrustedProxies(array('3.3.3.4', '2.2.2.2'));
+        Request::setTrustedProxies(array('3.3.3.4', '2.2.2.2'), Request::HEADER_CLIENT_IP);
         $this->assertEquals('3.3.3.3', $request->getClientIp());
         $this->assertEquals('example.com', $request->getHost());
         $this->assertEquals(80, $request->getPort());
         $this->assertFalse($request->isSecure());
 
         // check various X_FORWARDED_PROTO header values
-        Request::setTrustedProxies(array('3.3.3.3', '2.2.2.2'));
+        Request::setTrustedProxies(array('3.3.3.3', '2.2.2.2'), Request::HEADER_CLIENT_IP);
         $request->headers->set('X_FORWARDED_PROTO', 'ssl');
         $this->assertTrue($request->isSecure());
 
@@ -1745,13 +1747,6 @@ public function testTrustedProxies()
         $this->assertEquals('example.com', $request->getHost());
         $this->assertEquals(80, $request->getPort());
         $this->assertFalse($request->isSecure());
-
-        // reset
-        Request::setTrustedProxies(array());
-        Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, 'X_FORWARDED_FOR');
-        Request::setTrustedHeaderName(Request::HEADER_CLIENT_HOST, 'X_FORWARDED_HOST');
-        Request::setTrustedHeaderName(Request::HEADER_CLIENT_PORT, 'X_FORWARDED_PORT');
-        Request::setTrustedHeaderName(Request::HEADER_CLIENT_PROTO, 'X_FORWARDED_PROTO');
     }
 
     /**
@@ -2062,6 +2057,66 @@ public function methodCacheableProvider()
             array('CONNECT', false),
         );
     }
+
+    /**
+     * @group legacy
+     * @expectedDeprecation The Symfony\Component\HttpFoundation\Request::setTrustedProxies() method expects Request::HEADER_FORWARDED or Request::HEADER_CLIENT_IP as second argument. Not passing it is deprecated since version 3.3 and will be required in 4.0.
+     */
+    public function testLegacySetTrustedProxies()
+    {
+        Request::setTrustedProxies(array('8.8.8.8'));
+
+        $this->assertSame('FORWARDED', Request::getTrustedHeaderName(Request::HEADER_FORWARDED));
+        $this->assertSame('X_FORWARDED_FOR', Request::getTrustedHeaderName(Request::HEADER_CLIENT_IP));
+        $this->assertSame('X_FORWARDED_HOST', Request::getTrustedHeaderName(Request::HEADER_CLIENT_HOST));
+        $this->assertSame('X_FORWARDED_PORT', Request::getTrustedHeaderName(Request::HEADER_CLIENT_PORT));
+        $this->assertSame('X_FORWARDED_PROTO', Request::getTrustedHeaderName(Request::HEADER_CLIENT_PROTO));
+    }
+
+    public function testSetTrustedProxies()
+    {
+        Request::setTrustedProxies(array('8.8.8.8'), Request::HEADER_CLIENT_IP);
+
+        $this->assertNull(Request::getTrustedHeaderName(Request::HEADER_FORWARDED));
+        $this->assertSame('X_FORWARDED_FOR', Request::getTrustedHeaderName(Request::HEADER_CLIENT_IP));
+        $this->assertSame('X_FORWARDED_HOST', Request::getTrustedHeaderName(Request::HEADER_CLIENT_HOST));
+        $this->assertSame('X_FORWARDED_PORT', Request::getTrustedHeaderName(Request::HEADER_CLIENT_PORT));
+        $this->assertSame('X_FORWARDED_PROTO', Request::getTrustedHeaderName(Request::HEADER_CLIENT_PROTO));
+
+        Request::setTrustedProxies(array('8.8.8.8'), Request::HEADER_FORWARDED);
+
+        $this->assertSame('FORWARDED', Request::getTrustedHeaderName(Request::HEADER_FORWARDED));
+        $this->assertNull(Request::getTrustedHeaderName(Request::HEADER_CLIENT_IP));
+        $this->assertNull(Request::getTrustedHeaderName(Request::HEADER_CLIENT_HOST));
+        $this->assertNull(Request::getTrustedHeaderName(Request::HEADER_CLIENT_PORT));
+        $this->assertNull(Request::getTrustedHeaderName(Request::HEADER_CLIENT_PROTO));
+
+        Request::setTrustedHeaderName(Request::HEADER_FORWARDED, 'A');
+        Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, 'B');
+        Request::setTrustedHeaderName(Request::HEADER_CLIENT_HOST, 'C');
+        Request::setTrustedHeaderName(Request::HEADER_CLIENT_PORT, 'D');
+        Request::setTrustedHeaderName(Request::HEADER_CLIENT_PROTO, 'E');
+
+        Request::setTrustedProxies(array('8.8.8.8'), Request::HEADER_FORWARDED);
+
+        $this->assertSame('A', Request::getTrustedHeaderName(Request::HEADER_FORWARDED));
+        $this->assertNull(Request::getTrustedHeaderName(Request::HEADER_CLIENT_IP));
+        $this->assertNull(Request::getTrustedHeaderName(Request::HEADER_CLIENT_HOST));
+        $this->assertNull(Request::getTrustedHeaderName(Request::HEADER_CLIENT_PORT));
+        $this->assertNull(Request::getTrustedHeaderName(Request::HEADER_CLIENT_PROTO));
+
+        Request::setTrustedProxies(array('8.8.8.8'), Request::HEADER_CLIENT_IP);
+
+        $this->assertNull(Request::getTrustedHeaderName(Request::HEADER_FORWARDED));
+        $this->assertSame('B', Request::getTrustedHeaderName(Request::HEADER_CLIENT_IP));
+        $this->assertSame('C', Request::getTrustedHeaderName(Request::HEADER_CLIENT_HOST));
+        $this->assertSame('D', Request::getTrustedHeaderName(Request::HEADER_CLIENT_PORT));
+        $this->assertSame('E', Request::getTrustedHeaderName(Request::HEADER_CLIENT_PROTO));
+
+        Request::setTrustedProxies(array('8.8.8.8'), Request::HEADER_FORWARDED);
+
+        $this->assertSame('A', Request::getTrustedHeaderName(Request::HEADER_FORWARDED));
+    }
 }
 
 class RequestContentProxy extends Request