Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.7k
[HttpFundation][FrameworkBundle] Deprecate the HEADER_X_FORWARDED_ALL constant#38954
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
8be58b8 to8a4eb65CompareUh oh!
There was an error while loading.Please reload this page.
8a4eb65 to1ae32f9CompareUh oh!
There was an error while loading.Please reload this page.
src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.phpShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
1ae32f9 toa96c0bbCompareUh oh!
There was an error while loading.Please reload this page.
a96c0bb tofc921b1Comparefc921b1 to5baba3dComparesrc/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
5baba3d tofbea094CompareUh oh!
There was an error while loading.Please reload this page.
ea9ff44 tofe344ebCompare
nicolas-grekas left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
(with some remaining nitpicking)
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
fe344eb to7cf4dd6Comparenicolas-grekas commentedNov 2, 2020 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Can you please submit recipe PR to not use the constant in any version? |
fabpot commentedNov 4, 2020
Thank you@jderusse. |
Refs:-symfony/symfony#37734-symfony/symfony#38954This upgrade causes a breaking change since newly generated config files created from v1.1.4 to v1.1.8 include a default reference to `Illuminate\Http\Request::HTTP_X_FORWARDED_ALL` which no longer exists as of Laravel 9 / Symfony 6 and there is no way for us to replace that class to add it back ourselves without copying the entirety of the class into our project and class_alias()ing it, which would be a bad idea for lots of reasons.
Uh oh!
There was an error while loading.Please reload this page.
The
HEADER_X_FORWARDED_ALLimplicitly trust thex-forwarded-hostheader, leading to possible host header attack (as warned in thedocumentation.)Moreover, this
HEADER_X_FORWARDED_ALLdoes not really fowardsall headers, as ti does not supportsX-Forwarded-Prefixheaders.This PR deprecate the constant and the new framework bundle configuration. It will be removed in 6.0. People have to use: either:
Request::setTrustedProxies(['1.2.3.4'], Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO);Request::setTrustedProxies(['1.2.3.4'], Request::HEADER_X_FORWARDED_TRAEFIK);framework.trusted_headers: [x-forwarded-for, x-forwarded-host, x-forwarded-port, x-forwarded-proto]