php/yii2
1
0
Fork 0
mirror of https://github.com/yiisoft/yii2.git synced 2025-11-03 13:58:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix #17573: Request::getUserIP() security fix for the case when Request::$trustedHost and Request::$ipHeaders are used

Browse Source
This commit is contained in:
Somogyi Márton
2019-10-03 13:56:20 +02:00
committed by Alexander Makarov
parent ce0c7ad096
commit c87855b31c
4 changed files with 101 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
tests/framework/web/RequestTest.php
View File

@ -725,6 +725,38 @@ class RequestTest extends TestCase
$this->assertSame('default', $request->getBodyParam('unexisting', 'default'));
}
public function trustedHostAndInjectedXForwardedForDataProvider()
{
return [
'emptyIPs' => ['1.1.1.1', '', ['10.10.10.10'], '1.1.1.1'],
'invalidIp' => ['1.1.1.1', '127.0.0.1, 8.8.8.8, 2.2.2.2, apple', ['10.10.10.10'], '1.1.1.1'],
'invalidIp2' => ['1.1.1.1', '127.0.0.1, 8.8.8.8, 2.2.2.2, 300.300.300.300', ['10.10.10.10'], '1.1.1.1'],
'invalidIp3' => ['1.1.1.1', '127.0.0.1, 8.8.8.8, 2.2.2.2, 10.0.0.0/26', ['10.0.0.0/24'], '1.1.1.1'],
'invalidLatestIp' => ['1.1.1.1', '127.0.0.1, 8.8.8.8, 2.2.2.2, apple, 2.2.2.2', ['1.1.1.1', '2.2.2.2'], '2.2.2.2'],
'notTrusted' => ['1.1.1.1', '127.0.0.1, 8.8.8.8, 2.2.2.2', ['10.10.10.10'], '1.1.1.1'],
'trustedLevel1' => ['1.1.1.1', '127.0.0.1, 8.8.8.8, 2.2.2.2', ['1.1.1.1'], '2.2.2.2'],
'trustedLevel2' => ['1.1.1.1', '127.0.0.1, 8.8.8.8, 2.2.2.2', ['1.1.1.1', '2.2.2.2'], '8.8.8.8'],
'trustedLevel3' => ['1.1.1.1', '127.0.0.1, 8.8.8.8, 2.2.2.2', ['1.1.1.1', '2.2.2.2', '8.8.8.8'], '127.0.0.1'],
'trustedLevel4' => ['1.1.1.1', '127.0.0.1, 8.8.8.8, 2.2.2.2', ['1.1.1.1', '2.2.2.2', '8.8.8.8', '127.0.0.1'], '127.0.0.1'],
'trustedLevel4EmptyElements' => ['1.1.1.1', '127.0.0.1, 8.8.8.8,,,, , , 2.2.2.2', ['1.1.1.1', '2.2.2.2', '8.8.8.8', '127.0.0.1'], '127.0.0.1'],
'trustedWithCidr' => ['10.0.0.2', '127.0.0.1, 8.8.8.8, 10.0.0.240, 10.0.0.32, 10.0.0.99', ['10.0.0.0/24'], '8.8.8.8'],
'trustedAll' => ['10.0.0.2', '127.0.0.1, 8.8.8.8, 10.0.0.240, 10.0.0.32, 10.0.0.99', ['0.0.0.0/0'], '127.0.0.1'],
];
}
/**
* @dataProvider trustedHostAndInjectedXForwardedForDataProvider
*/
public function testTrustedHostAndInjectedXForwardedFor($remoteAddress, $xForwardedFor, $trustedHosts, $expectedUserIp)
{
$_SERVER['REMOTE_ADDR'] = $remoteAddress;
$_SERVER['HTTP_X_FORWARDED_FOR'] = $xForwardedFor;
$request = new Request([
'trustedHosts' => $trustedHosts,
]);
$this->assertSame($expectedUserIp, $request->getUserIP());
}
/**
* @testWith ["POST", "GET", "POST"]
* ["POST", "OPTIONS", "POST"]