symfony
diff --git a/‎UPGRADE-3.3.md
Lines changed: 10 additions & 0 deletions b/‎UPGRADE-3.3.md
Lines changed: 10 additions & 0 deletions
diff --git a/‎UPGRADE-4.0.md
Lines changed: 9 additions & 0 deletions b/‎UPGRADE-4.0.md
Lines changed: 9 additions & 0 deletions
diff --git a/‎src/Symfony/Bridge/Monolog/Tests/Processor/WebProcessorTest.php
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bridge/Monolog/Tests/Processor/WebProcessorTest.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/FrameworkBundle.php
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/FrameworkBundle/FrameworkBundle.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Component/HttpFoundation/CHANGELOG.md
Lines changed: 2 additions & 0 deletions b/‎src/Symfony/Component/HttpFoundation/CHANGELOG.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/Request.php
Lines changed: 69 additions & 7 deletions b/‎src/Symfony/Component/HttpFoundation/Request.php
Lines changed: 69 additions & 7 deletions
@@ -166,6 +166,16 @@ FrameworkBundle
    class has been deprecated and will be removed in 4.0. Use the 
    `Symfony\Component\Routing\DependencyInjection\RoutingResolverPass` class instead.
 
+HttpFoundation
+--------------
+
+ * The `Request::setTrustedProxies()` method takes a new `$trustedHeaderSet` argument - not setting it is deprecated.
+   Set it to `Request::HEADER_FORWARDED` if your reverse-proxy uses the RFC7239 `Forwarded` header,
+   or to `Request::HEADER_X_FORWARDED_ALL` if it is using `X-Forwarded-*` headers instead.
+
+ * The `Request::setTrustedHeaderName()` and `Request::getTrustedHeaderName()` methods are deprecated,
+   use the RFC7239 `Forwarded` header, or the `X-Forwarded-*` headers instead.
+
 HttpKernel
 -----------
 
 
@@ -274,6 +274,15 @@ FrameworkBundle
 HttpFoundation
 ---------------
 
+HttpFoundation
+--------------
+
+ * The `Request::setTrustedProxies()` method takes a new `$trustedHeaderSet` argument.
+   Set it to `Request::HEADER_FORWARDED` if your reverse-proxy uses the RFC7239 `Forwarded` header,
+   or to `Request::HEADER_X_FORWARDED_ALL` if it is using `X-Forwarded-*` headers instead.
+
+ * The `Request::setTrustedHeaderName()` and `Request::getTrustedHeaderName()` methods have been removed.
+
  * Extending the following methods of `Response`
    is no longer possible (these methods are now `final`):
 
 
@@ -36,7 +36,7 @@ public function testUsesRequestServerData()
 
     public function testUseRequestClientIp()
     {
-        Request::setTrustedProxies(array('192.168.0.1'));
+        Request::setTrustedProxies(array('192.168.0.1'), Request::HEADER_X_FORWARDED_ALL);
         list($event, $server) = $this->createRequestEvent(array('X_FORWARDED_FOR' => '192.168.0.2'));
 
         $processor = new WebProcessor();
 
@@ -18,6 +18,7 @@
 use Symfony\Component\Config\Definition\Builder\TreeBuilder;
 use Symfony\Component\Config\Definition\ConfigurationInterface;
 use Symfony\Component\Form\Form;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Serializer\Serializer;
 use Symfony\Component\Translation\Translator;
 use Symfony\Component\Validator\Validation;
 
@@ -60,7 +60,7 @@ public function boot()
         ErrorHandler::register(null, false)->throwAt($this->container->getParameter('debug.error_handler.throw_at'), true);
 
         if ($trustedProxies = $this->container->getParameter('kernel.trusted_proxies')) {
-            Request::setTrustedProxies($trustedProxies);
+            Request::setTrustedProxies($trustedProxies, Request::getTrustedHeaderSet());
         }
 
         if ($this->container->getParameter('kernel.http_method_override')) {
 
@@ -4,6 +4,8 @@ CHANGELOG
 3.3.0
 -----
 
+ * added `$trustedHeaderSet` argument to `Request::setTrustedProxies()` - deprecate not setting it,
+ * deprecated the `Request::setTrustedHeaderName()` and `Request::getTrustedHeaderName()` methods,
  * added `File\Stream`, to be passed to `BinaryFileResponse` when the size of the served file is unknown,
    disabling `Range` and `Content-Length` handling, switching to chunked encoding instead
  * added the `Cookie::fromString()` method that allows to create a cookie from a
 
@@ -30,11 +30,21 @@
  */
 class Request
 {
-    const HEADER_FORWARDED = 'forwarded';
-    const HEADER_CLIENT_IP = 'client_ip';
-    const HEADER_CLIENT_HOST = 'client_host';
-    const HEADER_CLIENT_PROTO = 'client_proto';
-    const HEADER_CLIENT_PORT = 'client_port';
+    const HEADER_FORWARDED = 0b00001;
+    const HEADER_X_FORWARDED_ALL = 0b11110;
+    const HEADER_X_FORWARDED_FOR = 2;
+    const HEADER_X_FORWARDED_HOST = 4;
+    const HEADER_X_FORWARDED_PROTO = 8;
+    const HEADER_X_FORWARDED_PORT = 16;
+
+    /** @deprecated since version 3.3, to be removed in 4.0 */
+    const HEADER_CLIENT_IP = self::HEADER_X_FORWARDED_FOR;
+    /** @deprecated since version 3.3, to be removed in 4.0 */
+    const HEADER_CLIENT_HOST = self::HEADER_X_FORWARDED_HOST;
+    /** @deprecated since version 3.3, to be removed in 4.0 */
+    const HEADER_CLIENT_PROTO = self::HEADER_X_FORWARDED_PROTO;
+    /** @deprecated since version 3.3, to be removed in 4.0 */
+    const HEADER_CLIENT_PORT = self::HEADER_X_FORWARDED_PORT;
 
     const METHOD_HEAD = 'HEAD';
     const METHOD_GET = 'GET';
@@ -70,6 +80,8 @@ class Request
      *
      * The other headers are non-standard, but widely used
      * by popular reverse proxies (like Apache mod_proxy or Amazon EC2).
+     *
+     * @deprecated since version 3.3, to be removed in 4.0
      */
     protected static $trustedHeaders = array(
         self::HEADER_FORWARDED => 'FORWARDED',
@@ -210,6 +222,17 @@ class Request
     private $isHostValid = true;
     private $isClientIpsValid = true;
 
+    private static $trustedHeaderSet = -1;
+
+    /** @deprecated since version 3.3, to be removed in 4.0 */
+    private static $trustedHeaderNames = array(
+        self::HEADER_FORWARDED => 'FORWARDED',
+        self::HEADER_CLIENT_IP => 'X_FORWARDED_FOR',
+        self::HEADER_CLIENT_HOST => 'X_FORWARDED_HOST',
+        self::HEADER_CLIENT_PROTO => 'X_FORWARDED_PROTO',
+        self::HEADER_CLIENT_PORT => 'X_FORWARDED_PORT',
+    );
+
     /**
      * Constructor.
      *
@@ -548,11 +571,26 @@ public function overrideGlobals()
      *
      * You should only list the reverse proxies that you manage directly.
      *
-     * @param array $proxies A list of trusted proxies
+     * @param array $proxies          A list of trusted proxies
+     * @param int   $trustedHeaderSet A bit field of Request::HEADER_*, usually either Request::HEADER_FORWARDED or Request::HEADER_X_FORWARDED_ALL, to set which headers to trust from your proxies
+     *
+     * @throws \InvalidArgumentException When $trustedHeaderSet is invalid
      */
-    public static function setTrustedProxies(array $proxies)
+    public static function setTrustedProxies(array $proxies/*, int $trustedHeaderSet*/)
     {
         self::$trustedProxies = $proxies;
+
+        if (2 > func_num_args()) {
+            @trigger_error(sprintf('The %s() method expects a bit field of Request::HEADER_* as second argument. Not defining it is deprecated since version 3.3 and will be required in 4.0.', __METHOD__), E_USER_DEPRECATED);
+
+            return;
+        }
+        $trustedHeaderSet = func_get_arg(1);
+
+        foreach (self::$trustedHeaderNames as $header => $name) {
+            self::$trustedHeaders[$header] = $header & $trustedHeaderSet ? $name : null;
+        }
+        self::$trustedHeaderSet = $trustedHeaderSet;
     }
 
     /**
@@ -565,6 +603,16 @@ public static function getTrustedProxies()
         return self::$trustedProxies;
     }
 
+    /**
+     * Gets the set of trusted headers from trusted proxies.
+     *
+     * @return int A bit field of Request::HEADER_* that defines which headers are trusted from your proxies
+     */
+    public static function getTrustedHeaderSet()
+    {
+        return self::$trustedHeaderSet;
+    }
+
     /**
      * Sets a list of trusted host patterns.
      *
@@ -608,14 +656,22 @@ public static function getTrustedHosts()
      * @param string $value The header name
      *
      * @throws \InvalidArgumentException
+     *
+     * @deprecated since version 3.3, to be removed in 4.0. Use "X-Forwarded-*" headers or the "Forwarded" header defined in RFC7239, and the $trustedHeaderSet argument of the Request::setTrustedProxies() method instead.
      */
     public static function setTrustedHeaderName($key, $value)
     {
+        @trigger_error(sprintf('The "%s()" method is deprecated since version 3.3 and will be removed in 4.0. Use "X-Forwarded-*" headers or the "Forwarded" header defined in RFC7239, and the $trustedHeaderSet argument of the Request::setTrustedProxies() method instead.', __METHOD__), E_USER_DEPRECATED);
+
         if (!array_key_exists($key, self::$trustedHeaders)) {
             throw new \InvalidArgumentException(sprintf('Unable to set the trusted header name for key "%s".', $key));
         }
 
         self::$trustedHeaders[$key] = $value;
+
+        if (null !== $value) {
+            self::$trustedHeaderNames[$key] = $value;
+        }
     }
 
     /**
@@ -626,9 +682,15 @@ public static function setTrustedHeaderName($key, $value)
      * @return string The header name
      *
      * @throws \InvalidArgumentException
+     *
+     * @deprecated since version 3.3, to be removed in 4.0. Use the Request::getTrustedHeaderSet() method instead.
      */
     public static function getTrustedHeaderName($key)
     {
+        if (2 > func_num_args() || func_get_arg(1)) {
+            @trigger_error(sprintf('The "%s()" method is deprecated since version 3.3 and will be removed in 4.0. Use the Request::getTrustedHeaderSet() method instead.', __METHOD__), E_USER_DEPRECATED);
+        }
+
         if (!array_key_exists($key, self::$trustedHeaders)) {
             throw new \InvalidArgumentException(sprintf('Unable to get the trusted header name for key "%s".', $key));
         }
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ public function testUsesRequestServerData()`
`36`	`36`
`37`	`37`	`public function testUseRequestClientIp()`
`38`	`38`	`{`
`39`		`- Request::setTrustedProxies(array('192.168.0.1'));`
	`39`	`+ Request::setTrustedProxies(array('192.168.0.1'), Request::HEADER_X_FORWARDED_ALL);`
`40`	`40`	`list($event, $server) = $this->createRequestEvent(array('X_FORWARDED_FOR' => '192.168.0.2'));`
`41`	`41`
`42`	`42`	`$processor = new WebProcessor();`
Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ public function boot()`
`60`	`60`	`ErrorHandler::register(null, false)->throwAt($this->container->getParameter('debug.error_handler.throw_at'), true);`
`61`	`61`
`62`	`62`	`if ($trustedProxies = $this->container->getParameter('kernel.trusted_proxies')) {`
`63`		`- Request::setTrustedProxies($trustedProxies);`
	`63`	`+ Request::setTrustedProxies($trustedProxies, Request::getTrustedHeaderSet());`
`64`	`64`	`}`
`65`	`65`
`66`	`66`	`if ($this->container->getParameter('kernel.http_method_override')) {`