Skip to content

Commit c334006

Browse files
jderussejderusse
committed
Fix missing extra trusted header in sub-request
1 parent c91e438 commit c334006

File tree

2 files changed

+7
-0
lines changed

2 files changed

+7
-0
lines changed

HttpCache/SubRequestHandler.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@ public static function handle(HttpKernelInterface $kernel, Request $request, int
3838
'X_FORWARDED_HOST' => $trustedHeaderSet & Request::HEADER_X_FORWARDED_HOST,
3939
'X_FORWARDED_PROTO' => $trustedHeaderSet & Request::HEADER_X_FORWARDED_PROTO,
4040
'X_FORWARDED_PORT' => $trustedHeaderSet & Request::HEADER_X_FORWARDED_PORT,
41+
'X_FORWARDED_PREFIX' => $trustedHeaderSet & Request::HEADER_X_FORWARDED_PREFIX,
4142
];
4243
foreach (array_filter($trustedHeaders) as $name => $key) {
4344
$request->headers->remove($name);

Tests/HttpCache/SubRequestHandlerTest.php

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,13 +42,15 @@ public function testTrustedHeadersAreKept()
4242
$request->headers->set('X-Forwarded-Host', 'Good');
4343
$request->headers->set('X-Forwarded-Port', '1234');
4444
$request->headers->set('X-Forwarded-Proto', 'https');
45+
$request->headers->set('X-Forwarded-Prefix', '/admin');
4546

4647
$kernel = new TestSubRequestHandlerKernel(function ($request, $type, $catch) {
4748
$this->assertSame('127.0.0.1', $request->server->get('REMOTE_ADDR'));
4849
$this->assertSame('10.0.0.2', $request->getClientIp());
4950
$this->assertSame('Good', $request->headers->get('X-Forwarded-Host'));
5051
$this->assertSame('1234', $request->headers->get('X-Forwarded-Port'));
5152
$this->assertSame('https', $request->headers->get('X-Forwarded-Proto'));
53+
$this->assertSame('/admin', $request->headers->get('X-Forwarded-Prefix'));
5254
});
5355

5456
SubRequestHandler::handle($kernel, $request, HttpKernelInterface::MAIN_REQUEST, true);
@@ -64,6 +66,7 @@ public function testUntrustedHeadersAreRemoved()
6466
$request->headers->set('X-Forwarded-Host', 'Evil');
6567
$request->headers->set('X-Forwarded-Port', '1234');
6668
$request->headers->set('X-Forwarded-Proto', 'http');
69+
$request->headers->set('X-Forwarded-Prefix', '/admin');
6770
$request->headers->set('Forwarded', 'Evil2');
6871

6972
$kernel = new TestSubRequestHandlerKernel(function ($request, $type, $catch) {
@@ -72,6 +75,7 @@ public function testUntrustedHeadersAreRemoved()
7275
$this->assertFalse($request->headers->has('X-Forwarded-Host'));
7376
$this->assertFalse($request->headers->has('X-Forwarded-Port'));
7477
$this->assertFalse($request->headers->has('X-Forwarded-Proto'));
78+
$this->assertFalse($request->headers->has('X-Forwarded-Prefix'));
7579
$this->assertSame('for="10.0.0.1";host="localhost";proto=http', $request->headers->get('Forwarded'));
7680
});
7781

@@ -112,12 +116,14 @@ public function testTrustedXForwardedForHeader()
112116
$request->headers->set('X-Forwarded-For', '10.0.0.2');
113117
$request->headers->set('X-Forwarded-Host', 'foo.bar');
114118
$request->headers->set('X-Forwarded-Proto', 'https');
119+
$request->headers->set('X-Forwarded-Prefix', '/admin');
115120

116121
$kernel = new TestSubRequestHandlerKernel(function ($request, $type, $catch) {
117122
$this->assertSame('127.0.0.1', $request->server->get('REMOTE_ADDR'));
118123
$this->assertSame('10.0.0.2', $request->getClientIp());
119124
$this->assertSame('foo.bar', $request->getHttpHost());
120125
$this->assertSame('https', $request->getScheme());
126+
$this->assertSame('/admin', $request->getBaseUrl());
121127
});
122128

123129
SubRequestHandler::handle($kernel, $request, HttpKernelInterface::MAIN_REQUEST, true);

0 commit comments

Comments
 (0)