feature #38954 [HttpFundation][FrameworkBundle] Deprecate the HEADER_X_FORWARDED_ALL constant (jderusse)

This PR was merged into the 5.2-dev branch.

Discussion
----------

[HttpFundation][FrameworkBundle] Deprecate the HEADER_X_FORWARDED_ALL constant

| Q             | A
| ------------- | ---
| Branch?       | 5.x
| Bug fix?      | no
| New feature?  | no
| Deprecations? | yes
| Tickets       | -
| License       | MIT
| Doc PR        | TODO

The `HEADER_X_FORWARDED_ALL` implicitly trust the `x-forwarded-host` header, leading to possible host header attack (as warned in the [documentation](https://symfony.com/doc/current/reference/configuration/framework.html#trusted-hosts).)

Moreover, this `HEADER_X_FORWARDED_ALL` does not really fowards **all** headers, as ti does not supports `X-Forwarded-Prefix` headers.

This PR deprecate the constant and the new framework bundle configuration. It will be removed in 6.0. People have to use: either:
- `Request::setTrustedProxies(['1.2.3.4'], Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO);`
- `Request::setTrustedProxies(['1.2.3.4'], Request::HEADER_X_FORWARDED_TRAEFIK);`
- `framework.trusted_headers: [x-forwarded-for, x-forwarded-host, x-forwarded-port, x-forwarded-proto]`

Commits
-------

7cf4dd6917 Deprecate HEADER_X_FORWARDED_ALL constant

Author: fabpot

DependencyInjection/Configuration.php

@@ -92,13 +92,12 @@ public function getConfigTreeBuilder()
                 ->arrayNode('trusted_headers')
                     ->fixXmlConfig('trusted_header')
                     ->performNoDeepMerging()
-                    ->defaultValue(['x-forwarded-all', '!x-forwarded-host', '!x-forwarded-prefix'])
+                    ->defaultValue(['x-forwarded-for', 'x-forwarded-port', 'x-forwarded-proto'])
                     ->beforeNormalization()->ifString()->then(function ($v) { return $v ? array_map('trim', explode(',', $v)) : []; })->end()
                     ->enumPrototype()
                         ->values([
                             'forwarded',
                             'x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port',
-                            'x-forwarded-all', '!x-forwarded-host', '!x-forwarded-prefix',
                         ])
                     ->end()
                 ->end()

DependencyInjection/FrameworkExtension.php

@@ -2294,13 +2294,6 @@ private function resolveTrustedHeaders(array $headers): int
                 case 'x-forwarded-host': $trustedHeaders |= Request::HEADER_X_FORWARDED_HOST; break;
                 case 'x-forwarded-proto': $trustedHeaders |= Request::HEADER_X_FORWARDED_PROTO; break;
                 case 'x-forwarded-port': $trustedHeaders |= Request::HEADER_X_FORWARDED_PORT; break;
-                case '!x-forwarded-host': $trustedHeaders &= ~Request::HEADER_X_FORWARDED_HOST; break;
-                case 'x-forwarded-all':
-                    if (!\in_array('!x-forwarded-prefix', $headers)) {
-                        throw new LogicException('When using "x-forwarded-all" in "framework.trusted_headers", "!x-forwarded-prefix" must be explicitly listed until support for X-Forwarded-Prefix is implemented.');
-                    }
-                    $trustedHeaders |= Request::HEADER_X_FORWARDED_ALL;
-                    break;
             }
         }
 

Tests/DependencyInjection/ConfigurationTest.php

@@ -341,9 +341,9 @@ protected static function getBundleDefaultConfig()
             'secret' => 's3cr3t',
             'trusted_hosts' => [],
             'trusted_headers' => [
-                'x-forwarded-all',
-                '!x-forwarded-host',
-                '!x-forwarded-prefix',
+                'x-forwarded-for',
+                'x-forwarded-port',
+                'x-forwarded-proto',
             ],
             'csrf_protection' => [
                 'enabled' => false,