namespace Symfony\Component\HttpFoundation;
use Symfony\Component\HttpFoundation\Exception\ConflictingHeadersException;
+use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
use Symfony\Component\HttpFoundation\Session\SessionInterface;
/**
*/
class Request
{
- const HEADER_FORWARDED = 'forwarded';
- const HEADER_CLIENT_IP = 'client_ip';
- const HEADER_CLIENT_HOST = 'client_host';
- const HEADER_CLIENT_PROTO = 'client_proto';
- const HEADER_CLIENT_PORT = 'client_port';
+ const HEADER_FORWARDED = 0b00001; // When using RFC 7239
+ const HEADER_X_FORWARDED_FOR = 0b00010;
+ const HEADER_X_FORWARDED_HOST = 0b00100;
+ const HEADER_X_FORWARDED_PROTO = 0b01000;
+ const HEADER_X_FORWARDED_PORT = 0b10000;
+ const HEADER_X_FORWARDED_ALL = 0b11110; // All "X-Forwarded-*" headers
+ const HEADER_X_FORWARDED_AWS_ELB = 0b11010; // AWS ELB doesn't send X-Forwarded-Host
+
+ /** @deprecated since version 3.3, to be removed in 4.0 */
+ const HEADER_CLIENT_IP = self::HEADER_X_FORWARDED_FOR;
+ /** @deprecated since version 3.3, to be removed in 4.0 */
+ const HEADER_CLIENT_HOST = self::HEADER_X_FORWARDED_HOST;
+ /** @deprecated since version 3.3, to be removed in 4.0 */
+ const HEADER_CLIENT_PROTO = self::HEADER_X_FORWARDED_PROTO;
+ /** @deprecated since version 3.3, to be removed in 4.0 */
+ const HEADER_CLIENT_PORT = self::HEADER_X_FORWARDED_PORT;
const METHOD_HEAD = 'HEAD';
const METHOD_GET = 'GET';
*
* The other headers are non-standard, but widely used
* by popular reverse proxies (like Apache mod_proxy or Amazon EC2).
+ *
+ * @deprecated since version 3.3, to be removed in 4.0
*/
protected static $trustedHeaders = array(
self::HEADER_FORWARDED => 'FORWARDED',
public $headers;
/**
- * @var string
+ * @var string|resource|false|null
*/
protected $content;
protected static $requestFactory;
+ private $isHostValid = true;
private $isForwardedValid = true;
+ private static $trustedHeaderSet = -1;
+
+ /** @deprecated since version 3.3, to be removed in 4.0 */
+ private static $trustedHeaderNames = array(
+ self::HEADER_FORWARDED => 'FORWARDED',
+ self::HEADER_CLIENT_IP => 'X_FORWARDED_FOR',
+ self::HEADER_CLIENT_HOST => 'X_FORWARDED_HOST',
+ self::HEADER_CLIENT_PROTO => 'X_FORWARDED_PROTO',
+ self::HEADER_CLIENT_PORT => 'X_FORWARDED_PORT',
+ );
+
private static $forwardedParams = array(
- self::HEADER_CLIENT_IP => 'for',
- self::HEADER_CLIENT_HOST => 'host',
- self::HEADER_CLIENT_PROTO => 'proto',
- self::HEADER_CLIENT_PORT => 'host',
+ self::HEADER_X_FORWARDED_FOR => 'for',
+ self::HEADER_X_FORWARDED_HOST => 'host',
+ self::HEADER_X_FORWARDED_PROTO => 'proto',
+ self::HEADER_X_FORWARDED_PORT => 'host',
);
/**
- * Constructor.
- *
- * @param array $query The GET parameters
- * @param array $request The POST parameters
- * @param array $attributes The request attributes (parameters parsed from the PATH_INFO, ...)
- * @param array $cookies The COOKIE parameters
- * @param array $files The FILES parameters
- * @param array $server The SERVER parameters
- * @param string|resource $content The raw body data
+ * @param array $query The GET parameters
+ * @param array $request The POST parameters
+ * @param array $attributes The request attributes (parameters parsed from the PATH_INFO, ...)
+ * @param array $cookies The COOKIE parameters
+ * @param array $files The FILES parameters
+ * @param array $server The SERVER parameters
+ * @param string|resource|null $content The raw body data
*/
public function __construct(array $query = array(), array $request = array(), array $attributes = array(), array $cookies = array(), array $files = array(), array $server = array(), $content = null)
{
*
* This method also re-initializes all properties.
*
- * @param array $query The GET parameters
- * @param array $request The POST parameters
- * @param array $attributes The request attributes (parameters parsed from the PATH_INFO, ...)
- * @param array $cookies The COOKIE parameters
- * @param array $files The FILES parameters
- * @param array $server The SERVER parameters
- * @param string|resource $content The raw body data
+ * @param array $query The GET parameters
+ * @param array $request The POST parameters
+ * @param array $attributes The request attributes (parameters parsed from the PATH_INFO, ...)
+ * @param array $cookies The COOKIE parameters
+ * @param array $files The FILES parameters
+ * @param array $server The SERVER parameters
+ * @param string|resource|null $content The raw body data
*/
public function initialize(array $query = array(), array $request = array(), array $attributes = array(), array $cookies = array(), array $files = array(), array $server = array(), $content = null)
{
// stores the Content-Type and Content-Length header values in
// HTTP_CONTENT_TYPE and HTTP_CONTENT_LENGTH fields.
$server = $_SERVER;
- if ('cli-server' === PHP_SAPI) {
+ if ('cli-server' === \PHP_SAPI) {
if (array_key_exists('HTTP_CONTENT_LENGTH', $_SERVER)) {
$server['CONTENT_LENGTH'] = $_SERVER['HTTP_CONTENT_LENGTH'];
}
$request = self::createRequestFromFactory($_GET, $_POST, array(), $_COOKIE, $_FILES, $server);
if (0 === strpos($request->headers->get('CONTENT_TYPE'), 'application/x-www-form-urlencoded')
- && in_array(strtoupper($request->server->get('REQUEST_METHOD', 'GET')), array('PUT', 'DELETE', 'PATCH'))
+ && \in_array(strtoupper($request->server->get('REQUEST_METHOD', 'GET')), array('PUT', 'DELETE', 'PATCH'))
) {
parse_str($request->getContent(), $data);
$request->request = new ParameterBag($data);
* The information contained in the URI always take precedence
* over the other information (server and parameters).
*
- * @param string $uri The URI
- * @param string $method The HTTP method
- * @param array $parameters The query (GET) or request (POST) parameters
- * @param array $cookies The request cookies ($_COOKIE)
- * @param array $files The request files ($_FILES)
- * @param array $server The server parameters ($_SERVER)
- * @param string $content The raw body data
+ * @param string $uri The URI
+ * @param string $method The HTTP method
+ * @param array $parameters The query (GET) or request (POST) parameters
+ * @param array $cookies The request cookies ($_COOKIE)
+ * @param array $files The request files ($_FILES)
+ * @param array $server The server parameters ($_SERVER)
+ * @param string|resource|null $content The raw body data
*
* @return static
*/
if (isset($components['port'])) {
$server['SERVER_PORT'] = $components['port'];
- $server['HTTP_HOST'] = $server['HTTP_HOST'].':'.$components['port'];
+ $server['HTTP_HOST'] .= ':'.$components['port'];
}
if (isset($components['user'])) {
public function duplicate(array $query = null, array $request = null, array $attributes = null, array $cookies = null, array $files = null, array $server = null)
{
$dup = clone $this;
- if ($query !== null) {
+ if (null !== $query) {
$dup->query = new ParameterBag($query);
}
- if ($request !== null) {
+ if (null !== $request) {
$dup->request = new ParameterBag($request);
}
- if ($attributes !== null) {
+ if (null !== $attributes) {
$dup->attributes = new ParameterBag($attributes);
}
- if ($cookies !== null) {
+ if (null !== $cookies) {
$dup->cookies = new ParameterBag($cookies);
}
- if ($files !== null) {
+ if (null !== $files) {
$dup->files = new FileBag($files);
}
- if ($server !== null) {
+ if (null !== $server) {
$dup->server = new ServerBag($server);
$dup->headers = new HeaderBag($dup->server->getHeaders());
}
return trigger_error($e, E_USER_ERROR);
}
+ $cookieHeader = '';
+ $cookies = array();
+
+ foreach ($this->cookies as $k => $v) {
+ $cookies[] = $k.'='.$v;
+ }
+
+ if (!empty($cookies)) {
+ $cookieHeader = 'Cookie: '.implode('; ', $cookies)."\r\n";
+ }
+
return
sprintf('%s %s %s', $this->getMethod(), $this->getRequestUri(), $this->server->get('SERVER_PROTOCOL'))."\r\n".
- $this->headers."\r\n".
+ $this->headers.
+ $cookieHeader."\r\n".
$content;
}
*/
public function overrideGlobals()
{
- $this->server->set('QUERY_STRING', static::normalizeQueryString(http_build_query($this->query->all(), null, '&')));
+ $this->server->set('QUERY_STRING', static::normalizeQueryString(http_build_query($this->query->all(), '', '&')));
$_GET = $this->query->all();
$_POST = $this->request->all();
foreach ($this->headers->all() as $key => $value) {
$key = strtoupper(str_replace('-', '_', $key));
- if (in_array($key, array('CONTENT_TYPE', 'CONTENT_LENGTH'))) {
+ if (\in_array($key, array('CONTENT_TYPE', 'CONTENT_LENGTH'))) {
$_SERVER[$key] = implode(', ', $value);
} else {
$_SERVER['HTTP_'.$key] = implode(', ', $value);
*
* You should only list the reverse proxies that you manage directly.
*
- * @param array $proxies A list of trusted proxies
+ * @param array $proxies A list of trusted proxies
+ * @param int $trustedHeaderSet A bit field of Request::HEADER_*, to set which headers to trust from your proxies
+ *
+ * @throws \InvalidArgumentException When $trustedHeaderSet is invalid
*/
- public static function setTrustedProxies(array $proxies)
+ public static function setTrustedProxies(array $proxies/*, int $trustedHeaderSet*/)
{
self::$trustedProxies = $proxies;
+
+ if (2 > \func_num_args()) {
+ @trigger_error(sprintf('The %s() method expects a bit field of Request::HEADER_* as second argument since Symfony 3.3. Defining it will be required in 4.0. ', __METHOD__), E_USER_DEPRECATED);
+
+ return;
+ }
+ $trustedHeaderSet = (int) func_get_arg(1);
+
+ foreach (self::$trustedHeaderNames as $header => $name) {
+ self::$trustedHeaders[$header] = $header & $trustedHeaderSet ? $name : null;
+ }
+ self::$trustedHeaderSet = $trustedHeaderSet;
}
/**
return self::$trustedProxies;
}
+ /**
+ * Gets the set of trusted headers from trusted proxies.
+ *
+ * @return int A bit field of Request::HEADER_* that defines which headers are trusted from your proxies
+ */
+ public static function getTrustedHeaderSet()
+ {
+ return self::$trustedHeaderSet;
+ }
+
/**
* Sets a list of trusted host patterns.
*
public static function setTrustedHosts(array $hostPatterns)
{
self::$trustedHostPatterns = array_map(function ($hostPattern) {
- return sprintf('#%s#i', $hostPattern);
+ return sprintf('{%s}i', $hostPattern);
}, $hostPatterns);
// we need to reset trusted hosts on trusted host patterns change
self::$trustedHosts = array();
* @param string $value The header name
*
* @throws \InvalidArgumentException
+ *
+ * @deprecated since version 3.3, to be removed in 4.0. Use the $trustedHeaderSet argument of the Request::setTrustedProxies() method instead.
*/
public static function setTrustedHeaderName($key, $value)
{
- if (!array_key_exists($key, self::$trustedHeaders)) {
+ @trigger_error(sprintf('The "%s()" method is deprecated since Symfony 3.3 and will be removed in 4.0. Use the $trustedHeaderSet argument of the Request::setTrustedProxies() method instead.', __METHOD__), E_USER_DEPRECATED);
+
+ if ('forwarded' === $key) {
+ $key = self::HEADER_FORWARDED;
+ } elseif ('client_ip' === $key) {
+ $key = self::HEADER_CLIENT_IP;
+ } elseif ('client_host' === $key) {
+ $key = self::HEADER_CLIENT_HOST;
+ } elseif ('client_proto' === $key) {
+ $key = self::HEADER_CLIENT_PROTO;
+ } elseif ('client_port' === $key) {
+ $key = self::HEADER_CLIENT_PORT;
+ } elseif (!array_key_exists($key, self::$trustedHeaders)) {
throw new \InvalidArgumentException(sprintf('Unable to set the trusted header name for key "%s".', $key));
}
self::$trustedHeaders[$key] = $value;
+
+ if (null !== $value) {
+ self::$trustedHeaderNames[$key] = $value;
+ self::$trustedHeaderSet |= $key;
+ } else {
+ self::$trustedHeaderSet &= ~$key;
+ }
}
/**
* @return string The header name
*
* @throws \InvalidArgumentException
+ *
+ * @deprecated since version 3.3, to be removed in 4.0. Use the Request::getTrustedHeaderSet() method instead.
*/
public static function getTrustedHeaderName($key)
{
+ if (2 > \func_num_args() || func_get_arg(1)) {
+ @trigger_error(sprintf('The "%s()" method is deprecated since Symfony 3.3 and will be removed in 4.0. Use the Request::getTrustedHeaderSet() method instead.', __METHOD__), E_USER_DEPRECATED);
+ }
+
if (!array_key_exists($key, self::$trustedHeaders)) {
throw new \InvalidArgumentException(sprintf('Unable to get the trusted header name for key "%s".', $key));
}
*
* Order of precedence: PATH (routing placeholders or custom attributes), GET, BODY
*
- * @param string $key the key
- * @param mixed $default the default value if the parameter key does not exist
+ * @param string $key The key
+ * @param mixed $default The default value if the parameter key does not exist
*
* @return mixed
*/
* adding the IP address where it received the request from.
*
* If your reverse proxy uses a different header name than "X-Forwarded-For",
- * ("Client-Ip" for instance), configure it via "setTrustedHeaderName()" with
- * the "client-ip" key.
+ * ("Client-Ip" for instance), configure it via the $trustedHeaderSet
+ * argument of the Request::setTrustedProxies() method instead.
*
* @return string|null The client IP address
*
* The "X-Forwarded-Port" header must contain the client port.
*
* If your reverse proxy uses a different header name than "X-Forwarded-Port",
- * configure it via "setTrustedHeaderName()" with the "client-port" key.
+ * configure it via via the $trustedHeaderSet argument of the
+ * Request::setTrustedProxies() method instead.
*
* @return int|string can be a string if fetched from the server bag
*/
return $this->server->get('SERVER_PORT');
}
- if ($host[0] === '[') {
+ if ('[' === $host[0]) {
$pos = strpos($host, ':', strrpos($host, ']'));
} else {
$pos = strrpos($host, ':');
$scheme = $this->getScheme();
$port = $this->getPort();
- if (('http' == $scheme && $port == 80) || ('https' == $scheme && $port == 443)) {
+ if (('http' == $scheme && 80 == $port) || ('https' == $scheme && 443 == $port)) {
return $this->getHost();
}
}
$sourceDirs = explode('/', isset($basePath[0]) && '/' === $basePath[0] ? substr($basePath, 1) : $basePath);
- $targetDirs = explode('/', isset($path[0]) && '/' === $path[0] ? substr($path, 1) : $path);
+ $targetDirs = explode('/', substr($path, 1));
array_pop($sourceDirs);
$targetFile = array_pop($targetDirs);
}
$targetDirs[] = $targetFile;
- $path = str_repeat('../', count($sourceDirs)).implode('/', $targetDirs);
+ $path = str_repeat('../', \count($sourceDirs)).implode('/', $targetDirs);
// A reference to the same base directory or an empty subdirectory must be prefixed with "./".
// This also applies to a segment with a colon character (e.g., "file:colon") that cannot be used
* The "X-Forwarded-Proto" header must contain the protocol: "https" or "http".
*
* If your reverse proxy uses a different header name than "X-Forwarded-Proto"
- * ("SSL_HTTPS" for instance), configure it via "setTrustedHeaderName()" with
- * the "client-proto" key.
+ * ("SSL_HTTPS" for instance), configure it via the $trustedHeaderSet
+ * argument of the Request::setTrustedProxies() method instead.
*
* @return bool
*/
public function isSecure()
{
if ($this->isFromTrustedProxy() && $proto = $this->getTrustedValues(self::HEADER_CLIENT_PROTO)) {
- return in_array(strtolower($proto[0]), array('https', 'on', 'ssl', '1'), true);
+ return \in_array(strtolower($proto[0]), array('https', 'on', 'ssl', '1'), true);
}
$https = $this->server->get('HTTPS');
* The "X-Forwarded-Host" header must contain the client host name.
*
* If your reverse proxy uses a different header name than "X-Forwarded-Host",
- * configure it via "setTrustedHeaderName()" with the "client-host" key.
+ * configure it via the $trustedHeaderSet argument of the
+ * Request::setTrustedProxies() method instead.
*
* @return string
*
- * @throws \UnexpectedValueException when the host name is invalid
+ * @throws SuspiciousOperationException when the host name is invalid or not trusted
*/
public function getHost()
{
// check that it does not contain forbidden characters (see RFC 952 and RFC 2181)
// use preg_replace() instead of preg_match() to prevent DoS attacks with long host names
if ($host && '' !== preg_replace('/(?:^\[)?[a-zA-Z0-9-:\]_]+\.?/', '', $host)) {
- throw new \UnexpectedValueException(sprintf('Invalid Host "%s"', $host));
+ if (!$this->isHostValid) {
+ return '';
+ }
+ $this->isHostValid = false;
+
+ throw new SuspiciousOperationException(sprintf('Invalid Host "%s".', $host));
}
- if (count(self::$trustedHostPatterns) > 0) {
+ if (\count(self::$trustedHostPatterns) > 0) {
// to avoid host header injection attacks, you should provide a list of trusted host patterns
- if (in_array($host, self::$trustedHosts)) {
+ if (\in_array($host, self::$trustedHosts)) {
return $host;
}
}
}
- throw new \UnexpectedValueException(sprintf('Untrusted Host "%s"', $host));
+ if (!$this->isHostValid) {
+ return '';
+ }
+ $this->isHostValid = false;
+
+ throw new SuspiciousOperationException(sprintf('Untrusted Host "%s".', $host));
}
return $host;
if ($method = $this->headers->get('X-HTTP-METHOD-OVERRIDE')) {
$this->method = strtoupper($method);
} elseif (self::$httpMethodParameterOverride) {
- $this->method = strtoupper($this->request->get('_method', $this->query->get('_method', 'POST')));
+ $method = $this->request->get('_method', $this->query->get('_method', 'POST'));
+ if (\is_string($method)) {
+ $this->method = strtoupper($method);
+ }
}
}
}
*
* @param string $format The format
*
- * @return string The associated mime type (null if not found)
+ * @return string|null The associated mime type (null if not found)
*/
public function getMimeType($format)
{
}
foreach (static::$formats as $format => $mimeTypes) {
- if (in_array($mimeType, (array) $mimeTypes)) {
+ if (\in_array($mimeType, (array) $mimeTypes)) {
return $format;
}
- if (null !== $canonicalMimeType && in_array($canonicalMimeType, (array) $mimeTypes)) {
+ if (null !== $canonicalMimeType && \in_array($canonicalMimeType, (array) $mimeTypes)) {
return $format;
}
}
static::initializeFormats();
}
- static::$formats[$format] = is_array($mimeTypes) ? $mimeTypes : array($mimeTypes);
+ static::$formats[$format] = \is_array($mimeTypes) ? $mimeTypes : array($mimeTypes);
}
/**
* * _format request attribute
* * $default
*
- * @param string $default The default format
+ * @param string|null $default The default format
*
* @return string The request format
*/
*/
public function isMethodSafe(/* $andCacheable = true */)
{
- if (!func_num_args() || func_get_arg(0)) {
+ if (!\func_num_args() || func_get_arg(0)) {
// This deprecation should be turned into a BadMethodCallException in 4.0 (without adding the argument in the signature)
// then setting $andCacheable to false should be deprecated in 4.1
- @trigger_error('Checking only for cacheable HTTP methods with Symfony\Component\HttpFoundation\Request::isMethodSafe() is deprecated since version 3.2 and will throw an exception in 4.0. Disable checking only for cacheable methods by calling the method with `false` as first argument or use the Request::isMethodCacheable() instead.', E_USER_DEPRECATED);
+ @trigger_error('Checking only for cacheable HTTP methods with Symfony\Component\HttpFoundation\Request::isMethodSafe() is deprecated since Symfony 3.2 and will throw an exception in 4.0. Disable checking only for cacheable methods by calling the method with `false` as first argument or use the Request::isMethodCacheable() instead.', E_USER_DEPRECATED);
- return in_array($this->getMethod(), array('GET', 'HEAD'));
+ return \in_array($this->getMethod(), array('GET', 'HEAD'));
}
- return in_array($this->getMethod(), array('GET', 'HEAD', 'OPTIONS', 'TRACE'));
+ return \in_array($this->getMethod(), array('GET', 'HEAD', 'OPTIONS', 'TRACE'));
}
/**
*/
public function isMethodIdempotent()
{
- return in_array($this->getMethod(), array('HEAD', 'GET', 'PUT', 'DELETE', 'TRACE', 'OPTIONS', 'PURGE'));
+ return \in_array($this->getMethod(), array('HEAD', 'GET', 'PUT', 'DELETE', 'TRACE', 'OPTIONS', 'PURGE'));
}
/**
*/
public function isMethodCacheable()
{
- return in_array($this->getMethod(), array('GET', 'HEAD'));
+ return \in_array($this->getMethod(), array('GET', 'HEAD'));
+ }
+
+ /**
+ * Returns the protocol version.
+ *
+ * If the application is behind a proxy, the protocol version used in the
+ * requests between the client and the proxy and between the proxy and the
+ * server might be different. This returns the former (from the "Via" header)
+ * if the proxy is trusted (see "setTrustedProxies()"), otherwise it returns
+ * the latter (from the "SERVER_PROTOCOL" server parameter).
+ *
+ * @return string
+ */
+ public function getProtocolVersion()
+ {
+ if ($this->isFromTrustedProxy()) {
+ preg_match('~^(HTTP/)?([1-9]\.[0-9]) ~', $this->headers->get('Via'), $matches);
+
+ if ($matches) {
+ return 'HTTP/'.$matches[2];
+ }
+ }
+
+ return $this->server->get('SERVER_PROTOCOL');
}
/**
*/
public function getContent($asResource = false)
{
- $currentContentIsResource = is_resource($this->content);
+ $currentContentIsResource = \is_resource($this->content);
if (\PHP_VERSION_ID < 50600 && false === $this->content) {
throw new \LogicException('getContent() can only be called once when using the resource return type and PHP below 5.6.');
}
}
// Content passed in parameter (test)
- if (is_string($this->content)) {
+ if (\is_string($this->content)) {
$resource = fopen('php://temp', 'r+');
fwrite($resource, $this->content);
rewind($resource);
$extendedPreferredLanguages[] = $language;
if (false !== $position = strpos($language, '_')) {
$superLanguage = substr($language, 0, $position);
- if (!in_array($superLanguage, $preferredLanguages)) {
+ if (!\in_array($superLanguage, $preferredLanguages)) {
$extendedPreferredLanguages[] = $superLanguage;
}
}
// Language not listed in ISO 639 that are not variants
// of any listed language, which can be registered with the
// i-prefix, such as i-cherokee
- if (count($codes) > 1) {
+ if (\count($codes) > 1) {
$lang = $codes[1];
}
} else {
- for ($i = 0, $max = count($codes); $i < $max; ++$i) {
- if ($i === 0) {
+ for ($i = 0, $max = \count($codes); $i < $max; ++$i) {
+ if (0 === $i) {
$lang = strtolower($codes[0]);
} else {
$lang .= '_'.strtoupper($codes[$i]);
{
$requestUri = '';
- if ($this->headers->has('X_ORIGINAL_URL')) {
- // IIS with Microsoft Rewrite Module
- $requestUri = $this->headers->get('X_ORIGINAL_URL');
- $this->headers->remove('X_ORIGINAL_URL');
- $this->server->remove('HTTP_X_ORIGINAL_URL');
- $this->server->remove('UNENCODED_URL');
- $this->server->remove('IIS_WasUrlRewritten');
- } elseif ($this->headers->has('X_REWRITE_URL')) {
- // IIS with ISAPI_Rewrite
- $requestUri = $this->headers->get('X_REWRITE_URL');
- $this->headers->remove('X_REWRITE_URL');
- } elseif ($this->server->get('IIS_WasUrlRewritten') == '1' && $this->server->get('UNENCODED_URL') != '') {
+ if ('1' == $this->server->get('IIS_WasUrlRewritten') && '' != $this->server->get('UNENCODED_URL')) {
// IIS7 with URL Rewrite: make sure we get the unencoded URL (double slash problem)
$requestUri = $this->server->get('UNENCODED_URL');
$this->server->remove('UNENCODED_URL');
$requestUri = $this->server->get('REQUEST_URI');
// HTTP proxy reqs setup request URI with scheme and host [and port] + the URL path, only use URL path
$schemeAndHttpHost = $this->getSchemeAndHttpHost();
- if (strpos($requestUri, $schemeAndHttpHost) === 0) {
- $requestUri = substr($requestUri, strlen($schemeAndHttpHost));
+ if (0 === strpos($requestUri, $schemeAndHttpHost)) {
+ $requestUri = substr($requestUri, \strlen($schemeAndHttpHost));
}
} elseif ($this->server->has('ORIG_PATH_INFO')) {
// IIS 5.0, PHP as CGI
$segs = explode('/', trim($file, '/'));
$segs = array_reverse($segs);
$index = 0;
- $last = count($segs);
+ $last = \count($segs);
$baseUrl = '';
do {
$seg = $segs[$index];
// Does the baseUrl have anything in common with the request_uri?
$requestUri = $this->getRequestUri();
- if ($requestUri !== '' && $requestUri[0] !== '/') {
+ if ('' !== $requestUri && '/' !== $requestUri[0]) {
$requestUri = '/'.$requestUri;
}
return $prefix;
}
- if ($baseUrl && false !== $prefix = $this->getUrlencodedPrefix($requestUri, rtrim(dirname($baseUrl), '/'.DIRECTORY_SEPARATOR).'/')) {
+ if ($baseUrl && false !== $prefix = $this->getUrlencodedPrefix($requestUri, rtrim(\dirname($baseUrl), '/'.\DIRECTORY_SEPARATOR).'/')) {
// directory portion of $baseUrl matches
- return rtrim($prefix, '/'.DIRECTORY_SEPARATOR);
+ return rtrim($prefix, '/'.\DIRECTORY_SEPARATOR);
}
$truncatedRequestUri = $requestUri;
// If using mod_rewrite or ISAPI_Rewrite strip the script filename
// out of baseUrl. $pos !== 0 makes sure it is not matching a value
// from PATH_INFO or QUERY_STRING
- if (strlen($requestUri) >= strlen($baseUrl) && (false !== $pos = strpos($requestUri, $baseUrl)) && $pos !== 0) {
- $baseUrl = substr($requestUri, 0, $pos + strlen($baseUrl));
+ if (\strlen($requestUri) >= \strlen($baseUrl) && (false !== $pos = strpos($requestUri, $baseUrl)) && 0 !== $pos) {
+ $baseUrl = substr($requestUri, 0, $pos + \strlen($baseUrl));
}
- return rtrim($baseUrl, '/'.DIRECTORY_SEPARATOR);
+ return rtrim($baseUrl, '/'.\DIRECTORY_SEPARATOR);
}
/**
*/
protected function prepareBasePath()
{
- $filename = basename($this->server->get('SCRIPT_FILENAME'));
$baseUrl = $this->getBaseUrl();
if (empty($baseUrl)) {
return '';
}
+ $filename = basename($this->server->get('SCRIPT_FILENAME'));
if (basename($baseUrl) === $filename) {
- $basePath = dirname($baseUrl);
+ $basePath = \dirname($baseUrl);
} else {
$basePath = $baseUrl;
}
- if ('\\' === DIRECTORY_SEPARATOR) {
+ if ('\\' === \DIRECTORY_SEPARATOR) {
$basePath = str_replace('\\', '/', $basePath);
}
*/
protected function preparePathInfo()
{
- $baseUrl = $this->getBaseUrl();
-
if (null === ($requestUri = $this->getRequestUri())) {
return '/';
}
if (false !== $pos = strpos($requestUri, '?')) {
$requestUri = substr($requestUri, 0, $pos);
}
- if ($requestUri !== '' && $requestUri[0] !== '/') {
+ if ('' !== $requestUri && '/' !== $requestUri[0]) {
$requestUri = '/'.$requestUri;
}
- $pathInfo = substr($requestUri, strlen($baseUrl));
- if (null !== $baseUrl && (false === $pathInfo || '' === $pathInfo)) {
+ if (null === ($baseUrl = $this->getBaseUrl())) {
+ return $requestUri;
+ }
+
+ $pathInfo = substr($requestUri, \strlen($baseUrl));
+ if (false === $pathInfo || '' === $pathInfo) {
// If substr() returns false then PATH_INFO is set to an empty string
return '/';
- } elseif (null === $baseUrl) {
- return $requestUri;
}
return (string) $pathInfo;
'js' => array('application/javascript', 'application/x-javascript', 'text/javascript'),
'css' => array('text/css'),
'json' => array('application/json', 'application/x-json'),
+ 'jsonld' => array('application/ld+json'),
'xml' => array('text/xml', 'application/xml', 'application/x-xml'),
'rdf' => array('application/rdf+xml'),
'atom' => array('application/atom+xml'),
return false;
}
- $len = strlen($prefix);
+ $len = \strlen($prefix);
if (preg_match(sprintf('#^(%%[[:xdigit:]]{2}|.){%d}#', $len), $string, $match)) {
return $match[0];
private static function createRequestFromFactory(array $query = array(), array $request = array(), array $attributes = array(), array $cookies = array(), array $files = array(), array $server = array(), $content = null)
{
if (self::$requestFactory) {
- $request = call_user_func(self::$requestFactory, $query, $request, $attributes, $cookies, $files, $server, $content);
+ $request = \call_user_func(self::$requestFactory, $query, $request, $attributes, $cookies, $files, $server, $content);
if (!$request instanceof self) {
throw new \LogicException('The Request factory must return an instance of Symfony\Component\HttpFoundation\Request.');
if (self::$trustedHeaders[self::HEADER_FORWARDED] && $this->headers->has(self::$trustedHeaders[self::HEADER_FORWARDED])) {
$forwardedValues = $this->headers->get(self::$trustedHeaders[self::HEADER_FORWARDED]);
- $forwardedValues = preg_match_all(sprintf('{(?:%s)=(?:"?\[?)([a-zA-Z0-9\.:_\-/]*+)}', self::$forwardedParams[$type]), $forwardedValues, $matches) ? $matches[1] : array();
+ $forwardedValues = preg_match_all(sprintf('{(?:%s)="?([a-zA-Z0-9\.:_\-/\[\]]*+)}', self::$forwardedParams[$type]), $forwardedValues, $matches) ? $matches[1] : array();
+ if (self::HEADER_CLIENT_PORT === $type) {
+ foreach ($forwardedValues as $k => $v) {
+ if (']' === substr($v, -1) || false === $v = strrchr($v, ':')) {
+ $v = $this->isSecure() ? ':443' : ':80';
+ }
+ $forwardedValues[$k] = '0.0.0.0'.$v;
+ }
+ }
}
if (null !== $ip) {
$firstTrustedIp = null;
foreach ($clientIps as $key => $clientIp) {
- // Remove port (unfortunately, it does happen)
- if (preg_match('{((?:\d+\.){3}\d+)\:\d+}', $clientIp, $match)) {
- $clientIps[$key] = $clientIp = $match[1];
+ if (strpos($clientIp, '.')) {
+ // Strip :port from IPv4 addresses. This is allowed in Forwarded
+ // and may occur in X-Forwarded-For.
+ $i = strpos($clientIp, ':');
+ if ($i) {
+ $clientIps[$key] = $clientIp = substr($clientIp, 0, $i);
+ }
+ } elseif (0 === strpos($clientIp, '[')) {
+ // Strip brackets and :port from IPv6 addresses.
+ $i = strpos($clientIp, ']', 1);
+ $clientIps[$key] = $clientIp = substr($clientIp, 1, $i - 1);
}
if (!filter_var($clientIp, FILTER_VALIDATE_IP)) {