Skip to content

Commit cc28bac

Browse files
nicolas-grekasnicolas-grekas
committed
[FrameworkBundle][HttpKernel] Add support for SYMFONY_TRUSTED_PROXIES, SYMFONY_TRUSTED_HEADERS, SYMFONY_TRUST_X_SENDFILE_TYPE_HEADER and SYMFONY_TRUSTED_HOSTS env vars
1 parent 5209da2 commit cc28bac

File tree

3 files changed

+42
-3
lines changed

3 files changed

+42
-3
lines changed

CHANGELOG.md

+1
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ CHANGELOG
66

77
* Remove `@internal` flag and add `@final` to `ServicesResetter`
88
* Add support for `SYMFONY_DISABLE_RESOURCE_TRACKING` env var
9+
* Add support for configuring trusted proxies/headers/hosts via env vars
910

1011
7.1
1112
---

Kernel.php

+22-3
Original file line numberDiff line numberDiff line change
@@ -393,7 +393,7 @@ protected function initializeContainer(): void
393393
$class = $this->getContainerClass();
394394
$buildDir = $this->warmupDir ?: $this->getBuildDir();
395395
$skip = $_SERVER['SYMFONY_DISABLE_RESOURCE_TRACKING'] ?? '';
396-
$skip = filter_var($skip, \FILTER_VALIDATE_BOOLEAN, \FILTER_NULL_ON_FAILURE) ?? explode(',', $skip);
396+
$skip = filter_var($skip, \FILTER_VALIDATE_BOOLEAN, \FILTER_NULL_ON_FAILURE) ?? explode(',', $skip);
397397
$cache = new ConfigCache($buildDir.'/'.$class.'.php', $this->debug, null, \is_array($skip) && ['*'] !== $skip ? $skip : ($skip ? [] : null));
398398

399399
$cachePath = $cache->getPath();
@@ -745,11 +745,30 @@ private function preBoot(): ContainerInterface
745745
$container = $this->container;
746746

747747
if ($container->hasParameter('kernel.trusted_hosts') && $trustedHosts = $container->getParameter('kernel.trusted_hosts')) {
748-
Request::setTrustedHosts($trustedHosts);
748+
Request::setTrustedHosts(\is_array($trustedHosts) ? $trustedHosts : preg_split('/\s*+,\s*+(?![^{]*})/', $trustedHosts));
749749
}
750750

751751
if ($container->hasParameter('kernel.trusted_proxies') && $container->hasParameter('kernel.trusted_headers') && $trustedProxies = $container->getParameter('kernel.trusted_proxies')) {
752-
Request::setTrustedProxies(\is_array($trustedProxies) ? $trustedProxies : array_map('trim', explode(',', $trustedProxies)), $container->getParameter('kernel.trusted_headers'));
752+
$trustedHeaders = $container->getParameter('kernel.trusted_headers');
753+
754+
if (\is_string($trustedHeaders)) {
755+
$trustedHeaders = array_map('trim', explode(',', $trustedHeaders));
756+
}
757+
758+
if (\is_array($trustedHeaders)) {
759+
$trustedHeaderSet = 0;
760+
761+
foreach ($trustedHeaders as $header) {
762+
if (!\defined($const = Request::class.'::HEADER_'.strtr(strtoupper($header), '-', '_'))) {
763+
throw new \InvalidArgumentException(\sprintf('The trusted header "%s" is not supported.', $header));
764+
}
765+
$trustedHeaderSet |= \constant($const);
766+
}
767+
} else {
768+
$trustedHeaderSet = $trustedHeaders ?? (Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO);
769+
}
770+
771+
Request::setTrustedProxies(\is_array($trustedProxies) ? $trustedProxies : array_map('trim', explode(',', $trustedProxies)), $trustedHeaderSet);
753772
}
754773

755774
return $container;

Tests/KernelTest.php

+19
Original file line numberDiff line numberDiff line change
@@ -523,6 +523,25 @@ public function getContainerClass(): string
523523
$this->assertMatchesRegularExpression('/^[a-zA-Z_\x80-\xff][a-zA-Z0-9_\x80-\xff]*TestDebugContainer$/', $kernel->getContainerClass());
524524
}
525525

526+
public function testTrustedParameters()
527+
{
528+
$kernel = new CustomProjectDirKernel(function (ContainerBuilder $container) {
529+
$container->setParameter('kernel.trusted_hosts', '^a{2,3}.com$, ^b{2,}.com$');
530+
$container->setParameter('kernel.trusted_proxies', 'a,b');
531+
$container->setParameter('kernel.trusted_headers', 'x-forwarded-for');
532+
});
533+
$kernel->boot();
534+
535+
try {
536+
$this->assertSame(['{^a{2,3}.com$}i', '{^b{2,}.com$}i'], Request::getTrustedHosts());
537+
$this->assertSame(['a', 'b'], Request::getTrustedProxies());
538+
$this->assertSame(Request::HEADER_X_FORWARDED_FOR, Request::getTrustedHeaderSet());
539+
} finally {
540+
Request::setTrustedHosts([]);
541+
Request::setTrustedProxies([], 0);
542+
}
543+
}
544+
526545
/**
527546
* Returns a mock for the BundleInterface.
528547
*/

0 commit comments

Comments
 (0)