8000 [HttpFoundation] Warning when request has both Forwarded and X-Forwarded-For by magnusnordlander · Pull Request #18688 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[HttpFoundation] Warning when request has both Forwarded and X-Forwarded-For #18688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 11 commits into from
Closed

[HttpFoundation] Warning when request has both Forwarded and X-Forwarded-For #18688

Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
4c262d4
Emit a warning when a request has both a trusted
magnusnordlander May 2, 2016
da4b6c5
Updated according to fabbot review
magnusnordlander May 3, 2016
f0c3d15
Changed warning to exception, and only throws when headers disagree.
magnusnordlander May 5, 2016
2eea0f1
CS fix
magnusnordlander May 5, 2016
c017290
Added a listener to validate requests
magnusnordlander Jun 25, 2016
99b072e
Changed listener to only throw on master requests (to preserve except…
magnusnordlander Jun 25, 2016
41d2603
Added fabbot CS fixes
magnusnordlander Jun 25, 2016
ea691e7
Made the profiler handle unknown client IPs.
magnusnordlander Jun 25, 2016
a9f864d
Updated tests
magnusnordlander Jun 25, 2016
66f19f1
Renamed listener and CS fixes.
magnusnordlander Jun 28, 2016
d52d098
Fixed test failures
magnusnordlander Jun 28, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Emit a warning when a request has both a trusted 
Forwarded header and a trusted X-Forwarded-For
header, as this is most likely a misconfiguration
which causes security flaws.
  • Loading branch information
@magnusnordlander
magnusnordlander committed May 2, 2016
commit 4c262d4aedd0242929eb1d92f8e14d8ef52146b6
11 changes: 9 additions & 2 deletions src/Symfony/Component/HttpFoundation/Request.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -805,11 +805,18 @@ public function getClientIps()
return array($ip);
}

if (self::$trustedHeaders[self::HEADER_FORWARDED] && $this->headers->has(self::$trustedHeaders[self::HEADER_FORWARDED])) {
$hasTrustedForwardedHeader = self::$trustedHeaders[self::HEADER_FORWARDED] && $this->headers->has(self::$trustedHeaders[self::HEADER_FORWARDED]);
$hasTrustedClientIpHeader = self::$trustedHeaders[self::HEADER_CLIENT_IP] && $this->headers->has(self::$trustedHeaders[self::HEADER_CLIENT_IP]);

if ($hasTrustedForwardedHeader && $hasTrustedClientIpHeader) {
trigger_error("The request has both a trusted Forwarded header and a trusted Client IP header. This is likely a misconfiguration. You should either configure your proxy only to send one of these headers, or configure Symfony to distrust one of them. When both headers are set and trusted, this method returns only IPs from the Forwarded header.", E_USER_WARNING);
}

if ($hasTrustedForwardedHeader) {
$forwardedHeader = $this->headers->get(self::$trustedHeaders[self::HEADER_FORWARDED]);
preg_match_all('{(for)=("?\[?)([a-z0-9\.:_\-/]*)}', $forwardedHeader, $matches);
$clientIps = $matches[3];
} elseif (self::$trustedHeaders[self::HEADER_CLIENT_IP] && $this->headers->has(self::$trustedHeaders[self::HEADER_CLIENT_IP])) {
} elseif ($hasTrustedClientIpHeader) {
$clientIps = array_map('trim', explode(',', $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_IP])));
}

Expand Down
0