symfony
diff --git a/‎src/Symfony/Component/Debug/Exception/FlattenException.php
Lines changed: 3 additions & 0 deletions b/‎src/Symfony/Component/Debug/Exception/FlattenException.php
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Debug/Tests/Exception/FlattenExceptionTest.php
Lines changed: 6 additions & 0 deletions b/‎src/Symfony/Component/Debug/Tests/Exception/FlattenExceptionTest.php
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/Exception/ConflictingHeadersException.php
Lines changed: 1 addition & 3 deletions b/‎src/Symfony/Component/HttpFoundation/Exception/ConflictingHeadersException.php
Lines changed: 1 addition & 3 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/Exception/RequestExceptionInterface.php
Lines changed: 21 additions & 0 deletions b/‎src/Symfony/Component/HttpFoundation/Exception/RequestExceptionInterface.php
Lines changed: 21 additions & 0 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/Exception/SuspiciousOperationException.php
Lines changed: 20 additions & 0 deletions b/‎src/Symfony/Component/HttpFoundation/Exception/SuspiciousOperationException.php
Lines changed: 20 additions & 0 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/Request.php
Lines changed: 23 additions & 4 deletions b/‎src/Symfony/Component/HttpFoundation/Request.php
Lines changed: 23 additions & 4 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
Lines changed: 4 additions & 3 deletions b/‎src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
Lines changed: 4 additions & 3 deletions
diff --git a/‎src/Symfony/Component/HttpKernel/EventListener/ValidateRequestListener.php
Lines changed: 3 additions & 3 deletions b/‎src/Symfony/Component/HttpKernel/EventListener/ValidateRequestListener.php
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/Symfony/Component/HttpKernel/HttpKernel.php
Lines changed: 3 additions & 3 deletions b/‎src/Symfony/Component/HttpKernel/HttpKernel.php
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/Symfony/Component/HttpKernel/Tests/EventListener/RouterListenerTest.php
Lines changed: 30 additions & 2 deletions b/‎src/Symfony/Component/HttpKernel/Tests/EventListener/RouterListenerTest.php
Lines changed: 30 additions & 2 deletions
diff --git a/‎src/Symfony/Component/HttpKernel/composer.json
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Component/HttpKernel/composer.json
Lines changed: 1 addition & 1 deletion
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Debug\Exception;
 
+use Symfony\Component\HttpFoundation\Exception\RequestExceptionInterface;
 use Symfony\Component\HttpKernel\Exception\HttpExceptionInterface;
 
 /**
@@ -41,6 +42,8 @@ public static function create(\Exception $exception, $statusCode = null, array $
         if ($exception instanceof HttpExceptionInterface) {
             $statusCode = $exception->getStatusCode();
             $headers = array_merge($headers, $exception->getHeaders());
+        } elseif ($exception instanceof RequestExceptionInterface) {
+            $statusCode = 400;
         }
 
         if (null === $statusCode) {
 
@@ -12,6 +12,7 @@
 namespace Symfony\Component\Debug\Tests\Exception;
 
 use Symfony\Component\Debug\Exception\FlattenException;
+use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use Symfony\Component\HttpKernel\Exception\MethodNotAllowedHttpException;
 use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
@@ -78,6 +79,11 @@ public function testStatusCode()
 
         $flattened = FlattenException::create(new UnsupportedMediaTypeHttpException());
         $this->assertEquals('415', $flattened->getStatusCode());
+
+        if (class_exists(SuspiciousOperationException::class)) {
+            $flattened = FlattenException::create(new SuspiciousOperationException());
+            $this->assertEquals('400', $flattened->getStatusCode());
+        }
     }
 
     public function testHeadersForHttpException()
 
@@ -14,10 +14,8 @@
 /**
  * The HTTP request contains headers with conflicting information.
  *
- * This exception should trigger an HTTP 400 response in your application code.
- *
  * @author Magnus Nordlander <magnus@fervo.se>
  */
-class ConflictingHeadersException extends \RuntimeException
+class ConflictingHeadersException extends \UnexpectedValueException implements RequestExceptionInterface
 {
 }
@@ -0,0 +1,21 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\HttpFoundation\Exception;
+
+/**
+ * Interface for Request exceptions.
+ *
+ * Exceptions implementing this interface should trigger an HTTP 400 response in the application code.
+ */
+interface RequestExceptionInterface
+{
+}
@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\HttpFoundation\Exception;
+
+/**
+ * Raised when a user has performed an operation that should be considered
+ * suspicious from a security perspective.
+ */
+class SuspiciousOperationException extends \UnexpectedValueException implements RequestExceptionInterface
+{
+}
@@ -12,6 +12,7 @@
 namespace Symfony\Component\HttpFoundation;
 
 use Symfony\Component\HttpFoundation\Exception\ConflictingHeadersException;
+use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 
 /**
@@ -206,6 +207,9 @@ class Request
 
     protected static $requestFactory;
 
+    private $isHostValid = true;
+    private $isClientIpsValid = true;
+
     /**
      * Constructor.
      *
@@ -819,7 +823,12 @@ public function getClientIps()
         }
 
         if ($hasTrustedForwardedHeader && $hasTrustedClientIpHeader && $forwardedClientIps !== $xForwardedForClientIps) {
-            throw new ConflictingHeadersException('The request has both a trusted Forwarded header and a trusted Client IP header, conflicting with each other with regards to the originating IP addresses of the request. This is the result of a misconfiguration. You should either configure your proxy only to send one of these headers, or configure Symfony to distrust one of them.');
+            if (!$this->isClientIpsValid) {
+                return array('0.0.0.0');
+            }
+            $this->isClientIpsValid = false;
+
+            throw new ConflictingHeadersException('The request has both a trusted Forwarded header and a trusted Client IP header, conflicting with each other with regards to the originating IP addresses of the request. This is the result of a misconfiguration. You should either configure your proxy only to send one of these headers, or configure your project to distrust one of them.');
         }
 
         if (!$hasTrustedForwardedHeader && !$hasTrustedClientIpHeader) {
@@ -1198,7 +1207,7 @@ public function isSecure()
      *
      * @return string
      *
-     * @throws \UnexpectedValueException when the host name is invalid
+     * @throws SuspiciousOperationException when the host name is invalid or not trusted
      */
     public function getHost()
     {
@@ -1220,7 +1229,12 @@ public function getHost()
         // check that it does not contain forbidden characters (see RFC 952 and RFC 2181)
         // use preg_replace() instead of preg_match() to prevent DoS attacks with long host names
         if ($host && '' !== preg_replace('/(?:^\[)?[a-zA-Z0-9-:\]_]+\.?/', '', $host)) {
-            throw new \UnexpectedValueException(sprintf('Invalid Host "%s"', $host));
+            if (!$this->isHostValid) {
+                return '';
+            $this->isHostValid = false;
+
+            throw new SuspiciousOperationException(sprintf('Invalid Host "%s".', $host));
         }
 
         if (count(self::$trustedHostPatterns) > 0) {
@@ -1238,7 +1252,12 @@ public function getHost()
                 }
             }
 
-            throw new \UnexpectedValueException(sprintf('Untrusted Host "%s"', $host));
+            if (!$this->isHostValid) {
+                return '';
+            }
+            $this->isHostValid = false;
+
+            throw new SuspiciousOperationException(sprintf('Untrusted Host "%s".', $host));
         }
 
         return $host;
 
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\HttpFoundation\Tests;
 
+use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
 use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
 use Symfony\Component\HttpFoundation\Session\Session;
 use Symfony\Component\HttpFoundation\Request;
@@ -1871,8 +1872,8 @@ public function testTrustedHosts()
         try {
             $request->getHost();
             $this->fail('Request::getHost() should throw an exception when host is not trusted.');
-        } catch (\UnexpectedValueException $e) {
-            $this->assertEquals('Untrusted Host "evil.com"', $e->getMessage());
+        } catch (SuspiciousOperationException $e) {
+            $this->assertEquals('Untrusted Host "evil.com".', $e->getMessage());
         }
 
         // trusted hosts
@@ -1935,7 +1936,7 @@ public function testHostValidity($host, $isValid, $expectedHost = null, $expecte
                 $this->assertSame($expectedPort, $request->getPort());
             }
         } else {
-            $this->setExpectedException('UnexpectedValueException', 'Invalid Host');
+            $this->setExpectedException(SuspiciousOperationException::class, 'Invalid Host');
             $request->getHost();
         }
     }
 
@@ -16,8 +16,7 @@
 use Symfony\Component\HttpKernel\KernelEvents;
 
 /**
- * Validates that the headers and other information indicating the
- * client IP address of a request are consistent.
+ * Validates Requests.
  *
  * @author Magnus Nordlander <magnus@fervo.se>
  */
@@ -36,9 +35,10 @@ public function onKernelRequest(GetResponseEvent $event)
         $request = $event->getRequest();
 
         if ($request::getTrustedProxies()) {
-            // This will throw an exception if the headers are inconsistent.
             $request->getClientIps();
         }
+
+        $request->getHost();
     }
 
     /**
 
@@ -25,7 +25,7 @@
 use Symfony\Component\HttpKernel\Event\GetResponseForControllerResultEvent;
 use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent;
 use Symfony\Component\HttpKernel\Event\PostResponseEvent;
-use Symfony\Component\HttpFoundation\Exception\ConflictingHeadersException;
+use Symfony\Component\HttpFoundation\Exception\RequestExceptionInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\HttpFoundation\Response;
@@ -67,8 +67,8 @@ public function handle(Request $request, $type = HttpKernelInterface::MASTER_REQ
         try {
             return $this->handleRaw($request, $type);
         } catch (\Exception $e) {
-            if ($e instanceof ConflictingHeadersException) {
-                $e = new BadRequestHttpException('The request headers contain conflicting information regarding the origin of this request.', $e);
+            if ($e instanceof RequestExceptionInterface) {
+                $e = new BadRequestHttpException($e->getMessage(), $e);
             }
             if (false === $catch) {
                 $this->finishRequest($request, $type);
 
@@ -9,11 +9,17 @@
  * file that was distributed with this source code.
  */
 
-namespace Symfony\Component\HttpKernel\Tests\EventListener;
-
+use Symfony\Component\EventDispatcher\EventDispatcher;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Controller\ArgumentResolver;
+use Symfony\Component\HttpKernel\Controller\ControllerResolver;
+use Symfony\Component\HttpKernel\EventListener\ExceptionListener;
 use Symfony\Component\HttpKernel\EventListener\RouterListener;
+use Symfony\Component\HttpKernel\EventListener\ValidateRequestListener;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
+use Symfony\Component\HttpKernel\HttpKernel;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 use Symfony\Component\Routing\RequestContext;
 
@@ -154,4 +160,26 @@ public function getLoggingParameterData()
             array(array(), 'Matched route "{route}".', array('route' => 'n/a', 'route_parameters' => array(), 'request_uri' => 'http://localhost/', 'method' => 'GET')),
         );
     }
+
+    public function testWithBadRequest()
+    {
+        $requestStack = new RequestStack();
+
+        $requestMatcher = $this->getMock('Symfony\Component\Routing\Matcher\RequestMatcherInterface');
+        $requestMatcher->expects($this->never())->method('matchRequest');
+
+        $dispatcher = new EventDispatcher();
+        $dispatcher->addSubscriber(new ValidateRequestListener());
+        $dispatcher->addSubscriber(new RouterListener($requestMatcher, $requestStack, new RequestContext()));
+        $dispatcher->addSubscriber(new ExceptionListener(function () {
+            return new Response('Exception handled', 400);
+        }));
+
+        $kernel = new HttpKernel($dispatcher, new ControllerResolver(), $requestStack, new ArgumentResolver());
+
+        $request = Request::create('http://localhost/');
+        $request->headers->set('host', '###');
+        $response = $kernel->handle($request);
+        $this->assertSame(400, $response->getStatusCode());
+    }
 }
@@ -18,7 +18,7 @@
     "require": {
         "php": ">=5.5.9",
         "symfony/event-dispatcher": "~2.8|~3.0",
-        "symfony/http-foundation": "~2.8.13|~3.1.6|~3.2",
+        "symfony/http-foundation": "~3.3",
         "symfony/debug": "~2.8|~3.0",
         "psr/log": "~1.0"
     },
Original file line number	Diff line number	Diff line change
`@@ -14,10 +14,8 @@`
`14`	`14`	`/**`
`15`	`15`	`* The HTTP request contains headers with conflicting information.`
`16`	`16`	`*`
`17`		`- * This exception should trigger an HTTP 400 response in your application code.`
`18`		`- *`
`19`	`17`	`* @author Magnus Nordlander <magnus@fervo.se>`
`20`	`18`	`*/`
`21`		`-class ConflictingHeadersException extends \RuntimeException`
	`19`	`+class ConflictingHeadersException extends \UnexpectedValueException implements RequestExceptionInterface`
`22`	`20`	`{`
`23`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@`
`11`	`11`
`12`	`12`	`namespace Symfony\Component\HttpFoundation\Tests;`
`13`	`13`
	`14`	`+use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;`
`14`	`15`	`use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;`
`15`	`16`	`use Symfony\Component\HttpFoundation\Session\Session;`
`16`	`17`	`use Symfony\Component\HttpFoundation\Request;`
`@@ -1871,8 +1872,8 @@ public function testTrustedHosts()`
`1871`	`1872`	`try {`
`1872`	`1873`	`$request->getHost();`
`1873`	`1874`	`$this->fail('Request::getHost() should throw an exception when host is not trusted.');`
`1874`		`- } catch (\UnexpectedValueException $e) {`
`1875`		`- $this->assertEquals('Untrusted Host "evil.com"', $e->getMessage());`
	`1875`	`+ } catch (SuspiciousOperationException $e) {`
	`1876`	`+ $this->assertEquals('Untrusted Host "evil.com".', $e->getMessage());`
`1876`	`1877`	`}`
`1877`	`1878`
`1878`	`1879`	`// trusted hosts`
`@@ -1935,7 +1936,7 @@ public function testHostValidity($host, $isValid, $expectedHost = null, $expecte`
`1935`	`1936`	`$this->assertSame($expectedPort, $request->getPort());`
`1936`	`1937`	`}`
`1937`	`1938`	`} else {`
`1938`		`- $this->setExpectedException('UnexpectedValueException', 'Invalid Host');`
	`1939`	`+ $this->setExpectedException(SuspiciousOperationException::class, 'Invalid Host');`
`1939`	`1940`	`$request->getHost();`
`1940`	`1941`	`}`
`1941`	`1942`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,8 +16,7 @@`
`16`	`16`	`use Symfony\Component\HttpKernel\KernelEvents;`
`17`	`17`
`18`	`18`	`/**`
`19`		`- * Validates that the headers and other information indicating the`
`20`		`- * client IP address of a request are consistent.`
	`19`	`+ * Validates Requests.`
`21`	`20`	`*`
`22`	`21`	`* @author Magnus Nordlander <magnus@fervo.se>`
`23`	`22`	`*/`
`@@ -36,9 +35,10 @@ public function onKernelRequest(GetResponseEvent $event)`
`36`	`35`	`$request = $event->getRequest();`
`37`	`36`
`38`	`37`	`if ($request::getTrustedProxies()) {`
`39`		`- // This will throw an exception if the headers are inconsistent.`
`40`	`38`	`$request->getClientIps();`
`41`	`39`	`}`
	`40`	`+`
	`41`	`+ $request->getHost();`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`/**`