20561984262

Committed 29 Dec 2025 12:46AM UTC coverage: 83.744%. Remained the same

Build # 20561984262

Build Type

push

github

Committed by

Commit Message

Request::isSameSite() is silently deprecated

Run Details

917 of 1095 relevant lines covered (83.74%)

0.84 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

92.68

/src/Http/Request.php

<?php

/**
 * This file is part of the Nette Framework (https://nette.org)
 * Copyright (c) 2004 David Grudl (https://davidgrudl.com)
 */

declare(strict_types=1);

namespace Nette\Http;

use Nette;
use function array_change_key_case, base64_decode, count, explode, func_num_args, gethostbyaddr, implode, in_array, preg_match, preg_match_all, rsort, strcasecmp, strtr;
use const CASE_LOWER;


/**
 * HttpRequest provides access scheme for request sent via HTTP.
 *
 * @property-read UrlScript $url
 * @property-read array $query
 * @property-read array $post
 * @property-read array $files
 * @property-read array $cookies
 * @property-read string $method
 * @property-read array $headers
 * @property-read UrlImmutable|null $referer
 * @property-read bool $secured
 * @property-read bool $ajax
 * @property-read string|null $remoteAddress
 * @property-read string|null $remoteHost
 * @property-read string|null $rawBody
 */
class Request implements IRequest
{
        use Nette\SmartObject;

        /** @var string[] */
        private readonly array $headers;

        private readonly ?\Closure $rawBodyCallback;


        public function __construct(
                private UrlScript $url,
                private readonly array $post = [],
                private readonly array $files = [],
                private readonly array $cookies = [],
                array $headers = [],
                private readonly string $method = 'GET',
                private readonly ?string $remoteAddress = null,
                private ?string $remoteHost = null,
                ?callable $rawBodyCallback = null,
        ) {
                $this->headers = array_change_key_case($headers, CASE_LOWER);
                $this->rawBodyCallback = $rawBodyCallback ? $rawBodyCallback(...) : null;
        }


        /**
         * Returns a clone with a different URL.
         */
        public function withUrl(UrlScript $url): static
        {
                $dolly = clone $this;
                $dolly->url = $url;
                return $dolly;
        }


        /**
         * Returns the URL of the request.
         */
        public function getUrl(): UrlScript
        {
                return $this->url;
        }


        /********************* query, post, files & cookies ****************d*g**/


        /**
         * Returns variable provided to the script via URL query ($_GET).
         * If no key is passed, returns the entire array.
         */
        public function getQuery(?string $key = null): mixed
        {
                if (func_num_args() === 0) {
                        return $this->url->getQueryParameters();
                }

                return $this->url->getQueryParameter($key);
        }


        /**
         * Returns variable provided to the script via POST method ($_POST).
         * If no key is passed, returns the entire array.
         */
        public function getPost(?string $key = null): mixed
        {
                if (func_num_args() === 0) {
                        return $this->post;
                }

                return $this->post[$key] ?? null;
        }


        /**
         * Returns uploaded file.
         * @param  string|string[]  $key
         */
        public function getFile($key): ?FileUpload
        {
                $res = Nette\Utils\Arrays::get($this->files, $key, null);
                return $res instanceof FileUpload ? $res : null;
        }


        /**
         * Returns tree of upload files in a normalized structure, with each leaf an instance of Nette\Http\FileUpload.
         */
        public function getFiles(): array
        {
                return $this->files;
        }


        /**
         * Returns a cookie or `null` if it does not exist.
         */
        public function getCookie(string $key): mixed
        {
                return $this->cookies[$key] ?? null;
        }


        /**
         * Returns all cookies.
         */
        public function getCookies(): array
        {
                return $this->cookies;
        }


        /********************* method & headers ****************d*g**/


        /**
         * Returns the HTTP method with which the request was made (GET, POST, HEAD, PUT, ...).
         */
        public function getMethod(): string
        {
                return $this->method;
        }


        /**
         * Checks the HTTP method with which the request was made. The parameter is case-insensitive.
         */
        public function isMethod(string $method): bool
        {
                return strcasecmp($this->method, $method) === 0;
        }


        /**
         * Returns an HTTP header or `null` if it does not exist. The parameter is case-insensitive.
         */
        public function getHeader(string $header): ?string
        {
                $header = strtolower($header);
                return $this->headers[$header] ?? null;
        }


        /**
         * Returns all HTTP headers as associative array.
         * @return string[]
         */
        public function getHeaders(): array
        {
                return $this->headers;
        }


        /**
         * What URL did the user come from? Beware, it is not reliable at all.
         * @deprecated  deprecated in favor of the getOrigin()
         */
        public function getReferer(): ?UrlImmutable
        {
                return isset($this->headers['referer'])
                        ? new UrlImmutable($this->headers['referer'])
                        : null;
        }


        /**
         * What origin did the user come from? It contains scheme, hostname and port.
         */
        public function getOrigin(): ?UrlImmutable
        {
                $header = $this->headers['origin'] ?? '';
                if (!preg_match('~^[a-z][a-z0-9+.-]*://[^/]+$~i', $header)) {
                        return null;
                }
                return new UrlImmutable($header);
        }


        /**
         * Is the request sent via secure channel (https)?
         */
        public function isSecured(): bool
        {
                return $this->url->getScheme() === 'https';
        }


        /** @deprecated use isFrom(['same-site', 'same-origin']) */
        public function isSameSite(): bool
        {
                return isset($this->cookies[Helpers::StrictCookieName]);
        }


        /**
         * Checks whether Sec-Fetch headers match the expected values.
         */
        public function isFrom(string|array|null $site = null, string|array|null $initiator = null): bool
        {
                $actualSite = $this->headers['sec-fetch-site'] ?? null;
                $actualDest = $this->headers['sec-fetch-dest'] ?? null;

                if ($actualSite === null && ($origin = $this->getOrigin())) { // fallback for Safari < 16.4
                        $actualSite = strcasecmp($origin->getScheme(), $this->url->getScheme()) === 0
                                        && strcasecmp(rtrim($origin->getHost(), '.'), rtrim($this->url->getHost(), '.')) === 0
                                        && $origin->getPort() === $this->url->getPort()
                                ? 'same-origin'
                                : 'cross-site';
                }

                return ($site === null || ($actualSite !== null && in_array($actualSite, (array) $site, strict: true)))
                        && ($initiator === null || ($actualDest !== null && in_array($actualDest, (array) $initiator, strict: true)));
        }


        /**
         * Is it an AJAX request?
         */
        public function isAjax(): bool
        {
                return $this->getHeader('X-Requested-With') === 'XMLHttpRequest';
        }


        /**
         * Returns the IP address of the remote client.
         */
        public function getRemoteAddress(): ?string
        {
                return $this->remoteAddress;
        }


        /**
         * Returns the host of the remote client.
         */
        public function getRemoteHost(): ?string
        {
                if ($this->remoteHost === null && $this->remoteAddress !== null) {
                        $this->remoteHost = gethostbyaddr($this->remoteAddress);
                }

                return $this->remoteHost;
        }


        /**
         * Returns raw content of HTTP request body.
         */
        public function getRawBody(): ?string
        {
                return $this->rawBodyCallback ? ($this->rawBodyCallback)() : null;
        }


        /**
         * Returns basic HTTP authentication credentials.
         * @return array{string, string}|null
         */
        public function getBasicCredentials(): ?array
        {
                return preg_match(
                        '~^Basic (\S+)$~',
                        $this->headers['authorization'] ?? '',
                        $t,
                )
                        && ($t = base64_decode($t[1], strict: true))
                        && ($t = explode(':', $t, 2))
                        && (count($t) === 2)
                        ? $t
                        : null;
        }


        /**
         * Returns the most preferred language by browser. Uses the `Accept-Language` header. If no match is reached, it returns `null`.
         * @param  string[]  $langs  supported languages
         */
        public function detectLanguage(array $langs): ?string
        {
                $header = $this->getHeader('Accept-Language');
                if (!$header) {
                        return null;
                }

                $s = strtolower($header);  // case insensitive
                $s = strtr($s, '_', '-');  // cs_CZ means cs-CZ
                rsort($langs);             // first more specific
                preg_match_all('#(' . implode('|', $langs) . ')(?:-[^\s,;=]+)?\s*(?:;\s*q=([0-9.]+))?#', $s, $matches);

                if (!$matches[0]) {
                        return null;
                }

                $max = 0;
                $lang = null;
                foreach ($matches[1] as $key => $value) {
                        $q = $matches[2][$key] === '' ? 1.0 : (float) $matches[2][$key];
                        if ($q > $max) {
                                $max = $q;
                                $lang = $value;
                        }
                }

                return $lang;
        }
}

1	<?php
2
3	/**
4	* This file is part of the Nette Framework (https://nette.org)
5	* Copyright (c) 2004 David Grudl (https://davidgrudl.com)
6	*/
7
8	declare(strict_types=1);
9
10	namespace Nette\Http;
11
12	use Nette;
13	use function array_change_key_case, base64_decode, count, explode, func_num_args, gethostbyaddr, implode, in_array, preg_match, preg_match_all, rsort, strcasecmp, strtr;
14	use const CASE_LOWER;
15
16
17	/**
18	* HttpRequest provides access scheme for request sent via HTTP.
19	*
20	* @property-read UrlScript $url
21	* @property-read array $query
22	* @property-read array $post
23	* @property-read array $files
24	* @property-read array $cookies
25	* @property-read string $method
26	* @property-read array $headers
27	* @property-read UrlImmutable\|null $referer
28	* @property-read bool $secured
29	* @property-read bool $ajax
30	* @property-read string\|null $remoteAddress
31	* @property-read string\|null $remoteHost
32	* @property-read string\|null $rawBody
33	*/
34	class Request implements IRequest
35	{
36	use Nette\SmartObject;
37
38	/** @var string[] */
39	private readonly array $headers;
40
41	private readonly ?\Closure $rawBodyCallback;
42
43
44	public function __construct(	1✔
45	private UrlScript $url,
46	private readonly array $post = [],
47	private readonly array $files = [],
48	private readonly array $cookies = [],
49	array $headers = [],
50	private readonly string $method = 'GET',
51	private readonly ?string $remoteAddress = null,
52	private ?string $remoteHost = null,
53	?callable $rawBodyCallback = null,
54	) {
55	$this->headers = array_change_key_case($headers, CASE_LOWER);	1✔
56	$this->rawBodyCallback = $rawBodyCallback ? $rawBodyCallback(...) : null;	1✔
57	}	1✔
58
59
60	/**
61	* Returns a clone with a different URL.
62	*/
63	public function withUrl(UrlScript $url): static	1✔
64	{
65	$dolly = clone $this;	1✔
66	$dolly->url = $url;	1✔
67	return $dolly;	1✔
68	}
69
70
71	/**
72	* Returns the URL of the request.
73	*/
74	public function getUrl(): UrlScript
75	{
76	return $this->url;	1✔
77	}
78
79
80	/******************* query, post, files & cookies *************dg**/
81
82
83	/**
84	* Returns variable provided to the script via URL query ($_GET).
85	* If no key is passed, returns the entire array.
86	*/
87	public function getQuery(?string $key = null): mixed	1✔
88	{
89	if (func_num_args() === 0) {	1✔
90	return $this->url->getQueryParameters();	1✔
91	}
92
93	return $this->url->getQueryParameter($key);	1✔
94	}
95
96
97	/**
98	* Returns variable provided to the script via POST method ($_POST).
99	* If no key is passed, returns the entire array.
100	*/
101	public function getPost(?string $key = null): mixed	1✔
102	{
103	if (func_num_args() === 0) {	1✔
104	return $this->post;	1✔
105	}
106
107	return $this->post[$key] ?? null;	1✔
108	}
109
110
111	/**
112	* Returns uploaded file.
113	* @param string\|string[] $key
114	*/
115	public function getFile($key): ?FileUpload
116	{
117	$res = Nette\Utils\Arrays::get($this->files, $key, null);	1✔
118	return $res instanceof FileUpload ? $res : null;	1✔
119	}
120
121
122	/**
123	* Returns tree of upload files in a normalized structure, with each leaf an instance of Nette\Http\FileUpload.
124	*/
125	public function getFiles(): array
126	{
127	return $this->files;	1✔
128	}
129
130
131	/**
132	* Returns a cookie or `null` if it does not exist.
133	*/
134	public function getCookie(string $key): mixed	1✔
135	{
136	return $this->cookies[$key] ?? null;	1✔
137	}
138
139
140	/**
141	* Returns all cookies.
142	*/
143	public function getCookies(): array
144	{
145	return $this->cookies;	1✔
146	}
147
148
149	/******************* method & headers *************dg**/
150
151
152	/**
153	* Returns the HTTP method with which the request was made (GET, POST, HEAD, PUT, ...).
154	*/
155	public function getMethod(): string
156	{
157	return $this->method;	1✔
158	}
159
160
161	/**
162	* Checks the HTTP method with which the request was made. The parameter is case-insensitive.
163	*/
164	public function isMethod(string $method): bool
165	{
166	return strcasecmp($this->method, $method) === 0;	×
167	}
168
169
170	/**
171	* Returns an HTTP header or `null` if it does not exist. The parameter is case-insensitive.
172	*/
173	public function getHeader(string $header): ?string	1✔
174	{
175	$header = strtolower($header);	1✔
176	return $this->headers[$header] ?? null;	1✔
177	}
178
179
180	/**
181	* Returns all HTTP headers as associative array.
182	* @return string[]
183	*/
184	public function getHeaders(): array
185	{
186	return $this->headers;	1✔
187	}
188
189
190	/**
191	* What URL did the user come from? Beware, it is not reliable at all.
192	* @deprecated deprecated in favor of the getOrigin()
193	*/
194	public function getReferer(): ?UrlImmutable
195	{
196	return isset($this->headers['referer'])	×
197	? new UrlImmutable($this->headers['referer'])	×
198	: null;	×
199	}
200
201
202	/**
203	* What origin did the user come from? It contains scheme, hostname and port.
204	*/
205	public function getOrigin(): ?UrlImmutable
206	{
207	$header = $this->headers['origin'] ?? '';	1✔
208	if (!preg_match('~^[a-z][a-z0-9+.-]*://[^/]+$~i', $header)) {	1✔
209	return null;	1✔
210	}
211	return new UrlImmutable($header);	1✔
212	}
213
214
215	/**
216	* Is the request sent via secure channel (https)?
217	*/
218	public function isSecured(): bool
219	{
220	return $this->url->getScheme() === 'https';	1✔
221	}
222
223
224	/** @deprecated use isFrom(['same-site', 'same-origin']) */
225	public function isSameSite(): bool
226	{
227	return isset($this->cookies[Helpers::StrictCookieName]);	×
228	}
229
230
231	/**
232	* Checks whether Sec-Fetch headers match the expected values.
233	*/
234	public function isFrom(string\|array\|null $site = null, string\|array\|null $initiator = null): bool	1✔
235	{
236	$actualSite = $this->headers['sec-fetch-site'] ?? null;	1✔
237	$actualDest = $this->headers['sec-fetch-dest'] ?? null;	1✔
238
239	if ($actualSite === null && ($origin = $this->getOrigin())) { // fallback for Safari < 16.4	1✔
240	$actualSite = strcasecmp($origin->getScheme(), $this->url->getScheme()) === 0	1✔
241	&& strcasecmp(rtrim($origin->getHost(), '.'), rtrim($this->url->getHost(), '.')) === 0	1✔
242	&& $origin->getPort() === $this->url->getPort()	1✔
243	? 'same-origin'	1✔
244	: 'cross-site';	1✔
245	}
246
247	return ($site === null \|\| ($actualSite !== null && in_array($actualSite, (array) $site, strict: true)))	1✔
248	&& ($initiator === null \|\| ($actualDest !== null && in_array($actualDest, (array) $initiator, strict: true)));	1✔
249	}
250
251
252	/**
253	* Is it an AJAX request?
254	*/
255	public function isAjax(): bool
256	{
257	return $this->getHeader('X-Requested-With') === 'XMLHttpRequest';	×
258	}
259
260
261	/**
262	* Returns the IP address of the remote client.
263	*/
264	public function getRemoteAddress(): ?string
265	{
266	return $this->remoteAddress;	1✔
267	}
268
269
270	/**
271	* Returns the host of the remote client.
272	*/
273	public function getRemoteHost(): ?string
274	{
275	if ($this->remoteHost === null && $this->remoteAddress !== null) {	1✔
276	$this->remoteHost = gethostbyaddr($this->remoteAddress);	1✔
277	}
278
279	return $this->remoteHost;	1✔
280	}
281
282
283	/**
284	* Returns raw content of HTTP request body.
285	*/
286	public function getRawBody(): ?string
287	{
288	return $this->rawBodyCallback ? ($this->rawBodyCallback)() : null;	1✔
289	}
290
291
292	/**
293	* Returns basic HTTP authentication credentials.
294	* @return array{string, string}\|null
295	*/
296	public function getBasicCredentials(): ?array
297	{
298	return preg_match(	1✔
299	'~^Basic (\S+)$~',	1✔
300	$this->headers['authorization'] ?? '',	1✔
301	$t,	1✔
302	)
303	&& ($t = base64_decode($t[1], strict: true))	1✔
304	&& ($t = explode(':', $t, 2))	1✔
305	&& (count($t) === 2)	1✔
306	? $t	1✔
307	: null;	1✔
308	}
309
310
311	/**
312	* Returns the most preferred language by browser. Uses the `Accept-Language` header. If no match is reached, it returns `null`.
313	* @param string[] $langs supported languages
314	*/
315	public function detectLanguage(array $langs): ?string	1✔
316	{
317	$header = $this->getHeader('Accept-Language');	1✔
318	if (!$header) {	1✔
319	return null;	1✔
320	}
321
322	$s = strtolower($header); // case insensitive	1✔
323	$s = strtr($s, '_', '-'); // cs_CZ means cs-CZ	1✔
324	rsort($langs); // first more specific	1✔
325	preg_match_all('#(' . implode('\|', $langs) . ')(?:-[^\s,;=]+)?\s(?:;\sq=([0-9.]+))?#', $s, $matches);	1✔
326
327	if (!$matches[0]) {	1✔
328	return null;	1✔
329	}
330
331	$max = 0;	1✔
332	$lang = null;	1✔
333	foreach ($matches[1] as $key => $value) {	1✔
334	$q = $matches[2][$key] === '' ? 1.0 : (float) $matches[2][$key];	1✔
335	if ($q > $max) {	1✔
336	$max = $q;	1✔
337	$lang = $value;	1✔
338	}
339	}
340
341	return $lang;	1✔
342	}
343	}

nette / http / 20561984262

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous