22293514258

Committed 23 Feb 2026 04:58AM UTC coverage: 83.62%. Remained the same

Build Type

push

github

Committed by

Commit Message

added CLAUDE.md

Coverage Stats

924 of 1105 relevant lines covered (83.62%)

0.84 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

96.26

/src/Http/RequestFactory.php

<?php declare(strict_types=1);

/**
 * This file is part of the Nette Framework (https://nette.org)
 * Copyright (c) 2004 David Grudl (https://davidgrudl.com)
 */

namespace Nette\Http;

use Nette;
use Nette\Utils\Arrays;
use Nette\Utils\Strings;
use function array_filter, base64_encode, count, end, explode, file_get_contents, filter_input_array, filter_var, function_exists, get_debug_type, in_array, ini_get, is_array, is_string, key, min, preg_last_error, preg_match, preg_replace, preg_split, rtrim, sprintf, str_contains, strcasecmp, strlen, strncmp, strpos, strrpos, strtolower, strtr, substr, trim;
use const FILTER_UNSAFE_RAW, FILTER_VALIDATE_IP, INPUT_COOKIE, INPUT_POST, PHP_SAPI, UPLOAD_ERR_NO_FILE;


/**
 * HTTP request factory.
 */
class RequestFactory
{
        /** @internal */
        private const ValidChars = '\x09\x0A\x0D\x20-\x7E\xA0-\x{10FFFF}';

        /** @var array<string, array<string, string>> */
        public array $urlFilters = [
                'path' => ['#//#' => '/'], // '%20' => ''
                'url' => [], // '#[.,)]$#D' => ''
        ];

        private bool $binary = false;

        /** @var list<string> */
        private array $proxies = [];

        private bool $forceHttps = false;


        public function setBinary(bool $binary = true): static
        {
                $this->binary = $binary;
                return $this;
        }


        /**
         * @param string|list<string>  $proxy
         */
        public function setProxy($proxy): static
        {
                $this->proxies = (array) $proxy;
                return $this;
        }


        public function setForceHttps(bool $forceHttps = true): static
        {
                $this->forceHttps = $forceHttps;
                return $this;
        }


        /**
         * Returns new Request instance, using values from superglobals.
         */
        public function fromGlobals(): Request
        {
                $url = new Url;
                $this->getServer($url);
                $this->getPathAndQuery($url);
                [$post, $cookies] = $this->getGetPostCookie($url);
                [$remoteAddr, $remoteHost] = $this->getClient($url);

                if ($this->forceHttps) {
                        $url->setScheme('https');
                }

                return new Request(
                        new UrlScript($url, $this->getScriptPath($url)),
                        $post,
                        $this->getFiles(),
                        $cookies,
                        $this->getHeaders(),
                        $this->getMethod(),
                        $remoteAddr,
                        $remoteHost,
                        fn(): string => (string) file_get_contents('php://input'),
                );
        }


        private function getServer(Url $url): void
        {
                $url->setScheme(!empty($_SERVER['HTTPS']) && strcasecmp($_SERVER['HTTPS'], 'off') ? 'https' : 'http');

                if (
                        (isset($_SERVER[$tmp = 'HTTP_HOST']) || isset($_SERVER[$tmp = 'SERVER_NAME']))
                        && ($pair = $this->parseHostAndPort($_SERVER[$tmp]))
                ) {
                        $url->setHost($pair[0]);
                        if (isset($pair[1])) {
                                $url->setPort($pair[1]);
                        } elseif ($tmp === 'SERVER_NAME' && isset($_SERVER['SERVER_PORT'])) {
                                $url->setPort((int) $_SERVER['SERVER_PORT']);
                        }
                }
        }


        private function getPathAndQuery(Url $url): void
        {
                $requestUrl = $_SERVER['REQUEST_URI'] ?? '/';
                $requestUrl = preg_replace('#^\w++://[^/]++#', '', $requestUrl);
                $requestUrl = Strings::replace($requestUrl, $this->urlFilters['url']);

                $tmp = explode('?', $requestUrl, 2);
                $path = Url::unescape($tmp[0], '%/?#');
                $path = Strings::fixEncoding(Strings::replace($path, $this->urlFilters['path']));
                $url->setPath($path);
                $url->setQuery($tmp[1] ?? '');
        }


        private function getScriptPath(Url $url): string
        {
                if (PHP_SAPI === 'cli-server') {
                        return '/';
                }

                $path = $url->getPath();
                $lpath = strtolower($path);
                $script = strtolower($_SERVER['SCRIPT_NAME'] ?? '');
                if ($lpath !== $script) {
                        $max = min(strlen($lpath), strlen($script));
                        for ($i = 0; $i < $max && $lpath[$i] === $script[$i]; $i++);
                        $path = $i
                                ? substr($path, 0, strrpos($path, '/', $i - strlen($path) - 1) + 1)
                                : '/';
                }

                return $path;
        }


        /** @return array{mixed[], mixed[]} */
        private function getGetPostCookie(Url $url): array
        {
                $useFilter = (!in_array((string) ini_get('filter.default'), ['', 'unsafe_raw'], strict: true) || ini_get('filter.default_flags'));

                $query = $url->getQueryParameters();
                $post = $useFilter
                        ? filter_input_array(INPUT_POST, FILTER_UNSAFE_RAW)
                        : (empty($_POST) ? [] : $_POST);
                $cookies = $useFilter
                        ? filter_input_array(INPUT_COOKIE, FILTER_UNSAFE_RAW)
                        : (empty($_COOKIE) ? [] : $_COOKIE);

                // remove invalid characters
                $reChars = '#^[' . self::ValidChars . ']*+$#Du';
                if (!$this->binary) {
                        $list = [&$query, &$post, &$cookies];
                        foreach ($list as $key => &$val) {
                                foreach ($val as $k => $v) {
                                        if (is_string($k) && (!preg_match($reChars, $k) || preg_last_error())) {
                                                unset($list[$key][$k]);

                                        } elseif (is_array($v)) {
                                                $list[$key][$k] = $v;
                                                $list[] = &$list[$key][$k];

                                        } elseif (is_string($v)) {
                                                $list[$key][$k] = (string) preg_replace('#[^' . self::ValidChars . ']+#u', '', $v);

                                        } else {
                                                throw new Nette\InvalidStateException(sprintf('Invalid value in $_POST/$_COOKIE in key %s, expected string, %s given.', "'$k'", get_debug_type($v)));
                                        }
                                }
                        }

                        unset($list, $key, $val, $k, $v);
                }

                $url->setQuery($query);
                return [$post, $cookies];
        }


        /** @return mixed[] */
        private function getFiles(): array
        {
                $reChars = '#^[' . self::ValidChars . ']*+$#Du';
                $files = [];
                $list = [];
                foreach ($_FILES ?? [] as $k => $v) {
                        if (
                                !is_array($v)
                                || !isset($v['name'], $v['type'], $v['size'], $v['tmp_name'], $v['error'])
                                || (!$this->binary && is_string($k) && (!preg_match($reChars, $k) || preg_last_error()))
                        ) {
                                continue;
                        }

                        $v['@'] = &$files[$k];
                        $list[] = $v;
                }

                // create FileUpload objects
                foreach ($list as &$v) {
                        if (!isset($v['name'])) {
                                continue;

                        } elseif (!is_array($v['name'])) {
                                if (!$this->binary && (!preg_match($reChars, $v['name']) || preg_last_error())) {
                                        $v['name'] = '';
                                }

                                if ($v['error'] !== UPLOAD_ERR_NO_FILE) {
                                        $v['@'] = new FileUpload($v);
                                }

                                continue;
                        }

                        foreach ($v['name'] as $k => $foo) {
                                if (!$this->binary && is_string($k) && (!preg_match($reChars, $k) || preg_last_error())) {
                                        continue;
                                }

                                $list[] = [
                                        'name' => $v['name'][$k],
                                        'type' => $v['type'][$k],
                                        'size' => $v['size'][$k],
                                        'full_path' => $v['full_path'][$k] ?? null,
                                        'tmp_name' => $v['tmp_name'][$k],
                                        'error' => $v['error'][$k],
                                        '@' => &$v['@'][$k],
                                ];
                        }
                }

                return $files;
        }


        /** @return array<string, string> */
        private function getHeaders(): array
        {
                if (function_exists('apache_request_headers')) {
                        $headers = apache_request_headers();
                } else {
                        $headers = [];
                        foreach ($_SERVER as $k => $v) {
                                if (str_starts_with($k, 'HTTP_')) {
                                        $k = substr($k, 5);
                                } elseif (strncmp($k, 'CONTENT_', 8)) {
                                        continue;
                                }

                                $headers[strtr($k, '_', '-')] = $v;
                        }
                }

                if (!isset($headers['Authorization'])) {
                        if (isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {
                                $headers['Authorization'] = 'Basic ' . base64_encode($_SERVER['PHP_AUTH_USER'] . ':' . $_SERVER['PHP_AUTH_PW']);
                        } elseif (isset($_SERVER['PHP_AUTH_DIGEST'])) {
                                $headers['Authorization'] = 'Digest ' . $_SERVER['PHP_AUTH_DIGEST'];
                        }
                }

                return $headers;
        }


        private function getMethod(): string
        {
                $method = $_SERVER['REQUEST_METHOD'] ?? 'GET';
                if (
                        $method === 'POST'
                        && preg_match('#^[A-Z]+$#D', $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ?? '')
                ) {
                        $method = $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'];
                }

                return $method;
        }


        /** @return array{?string, ?string}  [remoteAddr, remoteHost] */
        private function getClient(Url $url): array
        {
                $remoteAddr = !empty($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : null;

                // use real client address and host if trusted proxy is used
                $usingTrustedProxy = $remoteAddr && Arrays::some($this->proxies, fn(string $proxy): bool => Helpers::ipMatch($remoteAddr, $proxy));
                if ($usingTrustedProxy) {
                        $remoteHost = null;
                        $remoteAddr = empty($_SERVER['HTTP_FORWARDED'])
                                ? $this->useNonstandardProxy($url)
                                : $this->useForwardedProxy($url);

                } else {
                        $remoteHost = !empty($_SERVER['REMOTE_HOST']) ? $_SERVER['REMOTE_HOST'] : null;
                }

                return [$remoteAddr, $remoteHost];
        }


        private function useForwardedProxy(Url $url): ?string
        {
                $forwardParams = preg_split('/[,;]/', $_SERVER['HTTP_FORWARDED']);
                foreach ($forwardParams as $forwardParam) {
                        [$key, $value] = explode('=', $forwardParam, 2) + [1 => ''];
                        $proxyParams[strtolower(trim($key))][] = trim($value, " \t\"");
                }

                if (isset($proxyParams['for'])) {
                        $address = $proxyParams['for'][0];
                        $remoteAddr = str_contains($address, '[')
                                ? substr($address, 1, strpos($address, ']') - 1) // IPv6
                                : explode(':', $address)[0];  // IPv4
                }

                if (isset($proxyParams['proto']) && count($proxyParams['proto']) === 1) {
                        $url->setScheme(strcasecmp($proxyParams['proto'][0], 'https') === 0 ? 'https' : 'http');
                        $url->setPort($url->getScheme() === 'https' ? 443 : 80);
                }

                if (
                        isset($proxyParams['host']) && count($proxyParams['host']) === 1
                        && ($pair = $this->parseHostAndPort($proxyParams['host'][0]))
                ) {
                        $url->setHost($pair[0]);
                        if (isset($pair[1])) {
                                $url->setPort($pair[1]);
                        }
                }
                return $remoteAddr ?? null;
        }


        private function useNonstandardProxy(Url $url): ?string
        {
                if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
                        $url->setScheme(strcasecmp($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') === 0 ? 'https' : 'http');
                        $url->setPort($url->getScheme() === 'https' ? 443 : 80);
                }

                if (!empty($_SERVER['HTTP_X_FORWARDED_PORT'])) {
                        $url->setPort((int) $_SERVER['HTTP_X_FORWARDED_PORT']);
                }

                if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                        $xForwardedForWithoutProxies = array_filter(
                                explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']),
                                fn(string $ip): bool => filter_var($ip = trim($ip), FILTER_VALIDATE_IP) === false
                                        || !Arrays::some($this->proxies, fn(string $proxy): bool => Helpers::ipMatch($ip, $proxy)),
                        );
                        if ($xForwardedForWithoutProxies) {
                                $remoteAddr = trim(end($xForwardedForWithoutProxies));
                                $xForwardedForRealIpKey = key($xForwardedForWithoutProxies);
                        }
                }

                if (isset($xForwardedForRealIpKey) && !empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
                        $xForwardedHost = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']);
                        if (
                                isset($xForwardedHost[$xForwardedForRealIpKey])
                                && ($pair = $this->parseHostAndPort(trim($xForwardedHost[$xForwardedForRealIpKey])))
                        ) {
                                $url->setHost($pair[0]);
                                if (isset($pair[1])) {
                                        $url->setPort($pair[1]);
                                }
                        }
                }

                return $remoteAddr ?? null;
        }


        /** @return array{string, ?int}|null */
        private function parseHostAndPort(string $s): ?array
        {
                return preg_match('#^([a-z0-9_.-]+|\[[a-f0-9:]+])(:\d+)?$#Di', $s, $matches)
                        ? [
                                rtrim(strtolower($matches[1]), '.'),
                                isset($matches[2]) ? (int) substr($matches[2], 1) : null,
                        ]
                        : null;
        }


        /** @deprecated */
        public function createHttpRequest(): Request
        {
                return $this->fromGlobals();
        }
}

1	<?php declare(strict_types=1);
2
3	/**
4	* This file is part of the Nette Framework (https://nette.org)
5	* Copyright (c) 2004 David Grudl (https://davidgrudl.com)
6	*/
7
8	namespace Nette\Http;
9
10	use Nette;
11	use Nette\Utils\Arrays;
12	use Nette\Utils\Strings;
13	use function array_filter, base64_encode, count, end, explode, file_get_contents, filter_input_array, filter_var, function_exists, get_debug_type, in_array, ini_get, is_array, is_string, key, min, preg_last_error, preg_match, preg_replace, preg_split, rtrim, sprintf, str_contains, strcasecmp, strlen, strncmp, strpos, strrpos, strtolower, strtr, substr, trim;
14	use const FILTER_UNSAFE_RAW, FILTER_VALIDATE_IP, INPUT_COOKIE, INPUT_POST, PHP_SAPI, UPLOAD_ERR_NO_FILE;
15
16
17	/**
18	* HTTP request factory.
19	*/
20	class RequestFactory
21	{
22	/** @internal */
23	private const ValidChars = '\x09\x0A\x0D\x20-\x7E\xA0-\x{10FFFF}';
24
25	/** @var array<string, array<string, string>> */
26	public array $urlFilters = [
27	'path' => ['#//#' => '/'], // '%20' => ''
28	'url' => [], // '#[.,)]$#D' => ''
29	];
30
31	private bool $binary = false;
32
33	/** @var list<string> */
34	private array $proxies = [];
35
36	private bool $forceHttps = false;
37
38
39	public function setBinary(bool $binary = true): static	1✔
40	{
41	$this->binary = $binary;	1✔
42	return $this;	1✔
43	}
44
45
46	/**
47	* @param string\|list<string> $proxy
48	*/
49	public function setProxy($proxy): static
50	{
51	$this->proxies = (array) $proxy;	1✔
52	return $this;	1✔
53	}
54
55
56	public function setForceHttps(bool $forceHttps = true): static	1✔
57	{
58	$this->forceHttps = $forceHttps;	1✔
59	return $this;	1✔
60	}
61
62
63	/**
64	* Returns new Request instance, using values from superglobals.
65	*/
66	public function fromGlobals(): Request
67	{
68	$url = new Url;	1✔
69	$this->getServer($url);	1✔
70	$this->getPathAndQuery($url);	1✔
71	[$post, $cookies] = $this->getGetPostCookie($url);	1✔
72	[$remoteAddr, $remoteHost] = $this->getClient($url);	1✔
73
74	if ($this->forceHttps) {	1✔
75	$url->setScheme('https');	1✔
76	}
77
78	return new Request(	1✔
79	new UrlScript($url, $this->getScriptPath($url)),	1✔
80	$post,
81	$this->getFiles(),	1✔
82	$cookies,
83	$this->getHeaders(),	1✔
84	$this->getMethod(),	1✔
85	$remoteAddr,
86	$remoteHost,
87	fn(): string => (string) file_get_contents('php://input'),	1✔
88	);
89	}
90
91
92	private function getServer(Url $url): void	1✔
93	{
94	$url->setScheme(!empty($_SERVER['HTTPS']) && strcasecmp($_SERVER['HTTPS'], 'off') ? 'https' : 'http');	1✔
95
96	if (
97	(isset($_SERVER[$tmp = 'HTTP_HOST']) \|\| isset($_SERVER[$tmp = 'SERVER_NAME']))	1✔
98	&& ($pair = $this->parseHostAndPort($_SERVER[$tmp]))	1✔
99	) {
100	$url->setHost($pair[0]);	1✔
101	if (isset($pair[1])) {	1✔
102	$url->setPort($pair[1]);	1✔
103	} elseif ($tmp === 'SERVER_NAME' && isset($_SERVER['SERVER_PORT'])) {	1✔
104	$url->setPort((int) $_SERVER['SERVER_PORT']);	1✔
105	}
106	}
107	}	1✔
108
109
110	private function getPathAndQuery(Url $url): void	1✔
111	{
112	$requestUrl = $_SERVER['REQUEST_URI'] ?? '/';	1✔
113	$requestUrl = preg_replace('#^\w++://[^/]++#', '', $requestUrl);	1✔
114	$requestUrl = Strings::replace($requestUrl, $this->urlFilters['url']);	1✔
115
116	$tmp = explode('?', $requestUrl, 2);	1✔
117	$path = Url::unescape($tmp[0], '%/?#');	1✔
118	$path = Strings::fixEncoding(Strings::replace($path, $this->urlFilters['path']));	1✔
119	$url->setPath($path);	1✔
120	$url->setQuery($tmp[1] ?? '');	1✔
121	}	1✔
122
123
124	private function getScriptPath(Url $url): string	1✔
125	{
126	if (PHP_SAPI === 'cli-server') {	1✔
127	return '/';	×
128	}
129
130	$path = $url->getPath();	1✔
131	$lpath = strtolower($path);	1✔
132	$script = strtolower($_SERVER['SCRIPT_NAME'] ?? '');	1✔
133	if ($lpath !== $script) {	1✔
134	$max = min(strlen($lpath), strlen($script));	1✔
135	for ($i = 0; $i < $max && $lpath[$i] === $script[$i]; $i++);	1✔
136	$path = $i	1✔
137	? substr($path, 0, strrpos($path, '/', $i - strlen($path) - 1) + 1)	1✔
138	: '/';	1✔
139	}
140
141	return $path;	1✔
142	}
143
144
145	/** @return array{mixed[], mixed[]} */
146	private function getGetPostCookie(Url $url): array	1✔
147	{
148	$useFilter = (!in_array((string) ini_get('filter.default'), ['', 'unsafe_raw'], strict: true) \|\| ini_get('filter.default_flags'));	1✔
149
150	$query = $url->getQueryParameters();	1✔
151	$post = $useFilter	1✔
152	? filter_input_array(INPUT_POST, FILTER_UNSAFE_RAW)	×
153	: (empty($_POST) ? [] : $_POST);	1✔
154	$cookies = $useFilter	1✔
155	? filter_input_array(INPUT_COOKIE, FILTER_UNSAFE_RAW)	×
156	: (empty($_COOKIE) ? [] : $_COOKIE);	1✔
157
158	// remove invalid characters
159	$reChars = '#^[' . self::ValidChars . ']*+$#Du';	1✔
160	if (!$this->binary) {	1✔
161	$list = [&$query, &$post, &$cookies];	1✔
162	foreach ($list as $key => &$val) {	1✔
163	foreach ($val as $k => $v) {	1✔
164	if (is_string($k) && (!preg_match($reChars, $k) \|\| preg_last_error())) {	1✔
165	unset($list[$key][$k]);	1✔
166
167	} elseif (is_array($v)) {	1✔
168	$list[$key][$k] = $v;	1✔
169	$list[] = &$list[$key][$k];	1✔
170
171	} elseif (is_string($v)) {	1✔
172	$list[$key][$k] = (string) preg_replace('#[^' . self::ValidChars . ']+#u', '', $v);	1✔
173
174	} else {
175	throw new Nette\InvalidStateException(sprintf('Invalid value in $_POST/$_COOKIE in key %s, expected string, %s given.', "'$k'", get_debug_type($v)));	1✔
176	}
177	}
178	}
179
180	unset($list, $key, $val, $k, $v);	1✔
181	}
182
183	$url->setQuery($query);	1✔
184	return [$post, $cookies];	1✔
185	}
186
187
188	/** @return mixed[] */
189	private function getFiles(): array
190	{
191	$reChars = '#^[' . self::ValidChars . ']*+$#Du';	1✔
192	$files = [];	1✔
193	$list = [];	1✔
194	foreach ($_FILES ?? [] as $k => $v) {	1✔
195	if (
196	!is_array($v)	1✔
197	\|\| !isset($v['name'], $v['type'], $v['size'], $v['tmp_name'], $v['error'])	1✔
198	\|\| (!$this->binary && is_string($k) && (!preg_match($reChars, $k) \|\| preg_last_error()))	1✔
199	) {
200	continue;	1✔
201	}
202
203	$v['@'] = &$files[$k];	1✔
204	$list[] = $v;	1✔
205	}
206
207	// create FileUpload objects
208	foreach ($list as &$v) {	1✔
209	if (!isset($v['name'])) {	1✔
210	continue;	×
211
212	} elseif (!is_array($v['name'])) {	1✔
213	if (!$this->binary && (!preg_match($reChars, $v['name']) \|\| preg_last_error())) {	1✔
214	$v['name'] = '';	1✔
215	}
216
217	if ($v['error'] !== UPLOAD_ERR_NO_FILE) {	1✔
218	$v['@'] = new FileUpload($v);	1✔
219	}
220
221	continue;	1✔
222	}
223
224	foreach ($v['name'] as $k => $foo) {	1✔
225	if (!$this->binary && is_string($k) && (!preg_match($reChars, $k) \|\| preg_last_error())) {	1✔
226	continue;	×
227	}
228
229	$list[] = [	1✔
230	'name' => $v['name'][$k],	1✔
231	'type' => $v['type'][$k],	1✔
232	'size' => $v['size'][$k],	1✔
233	'full_path' => $v['full_path'][$k] ?? null,	1✔
234	'tmp_name' => $v['tmp_name'][$k],	1✔
235	'error' => $v['error'][$k],	1✔
236	'@' => &$v['@'][$k],	1✔
237	];
238	}
239	}
240
241	return $files;	1✔
242	}
243
244
245	/** @return array<string, string> */
246	private function getHeaders(): array
247	{
248	if (function_exists('apache_request_headers')) {	1✔
249	$headers = apache_request_headers();	×
250	} else {
251	$headers = [];	1✔
252	foreach ($_SERVER as $k => $v) {	1✔
253	if (str_starts_with($k, 'HTTP_')) {	1✔
254	$k = substr($k, 5);	1✔
255	} elseif (strncmp($k, 'CONTENT_', 8)) {	1✔
256	continue;	1✔
257	}
258
259	$headers[strtr($k, '_', '-')] = $v;	1✔
260	}
261	}
262
263	if (!isset($headers['Authorization'])) {	1✔
264	if (isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {	1✔
265	$headers['Authorization'] = 'Basic ' . base64_encode($_SERVER['PHP_AUTH_USER'] . ':' . $_SERVER['PHP_AUTH_PW']);	1✔
266	} elseif (isset($_SERVER['PHP_AUTH_DIGEST'])) {	1✔
267	$headers['Authorization'] = 'Digest ' . $_SERVER['PHP_AUTH_DIGEST'];	1✔
268	}
269	}
270
271	return $headers;	1✔
272	}
273
274
275	private function getMethod(): string
276	{
277	$method = $_SERVER['REQUEST_METHOD'] ?? 'GET';	1✔
278	if (
279	$method === 'POST'	1✔
280	&& preg_match('#^[A-Z]+$#D', $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ?? '')	1✔
281	) {
282	$method = $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'];	1✔
283	}
284
285	return $method;	1✔
286	}
287
288
289	/** @return array{?string, ?string} [remoteAddr, remoteHost] */
290	private function getClient(Url $url): array	1✔
291	{
292	$remoteAddr = !empty($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : null;	1✔
293
294	// use real client address and host if trusted proxy is used
295	$usingTrustedProxy = $remoteAddr && Arrays::some($this->proxies, fn(string $proxy): bool => Helpers::ipMatch($remoteAddr, $proxy));	1✔
296	if ($usingTrustedProxy) {	1✔
297	$remoteHost = null;	1✔
298	$remoteAddr = empty($_SERVER['HTTP_FORWARDED'])	1✔
299	? $this->useNonstandardProxy($url)	1✔
300	: $this->useForwardedProxy($url);	1✔
301
302	} else {
303	$remoteHost = !empty($_SERVER['REMOTE_HOST']) ? $_SERVER['REMOTE_HOST'] : null;	1✔
304	}
305
306	return [$remoteAddr, $remoteHost];	1✔
307	}
308
309
310	private function useForwardedProxy(Url $url): ?string	1✔
311	{
312	$forwardParams = preg_split('/[,;]/', $_SERVER['HTTP_FORWARDED']);	1✔
313	foreach ($forwardParams as $forwardParam) {	1✔
314	[$key, $value] = explode('=', $forwardParam, 2) + [1 => ''];	1✔
315	$proxyParams[strtolower(trim($key))][] = trim($value, " \t\"");	1✔
316	}
317
318	if (isset($proxyParams['for'])) {	1✔
319	$address = $proxyParams['for'][0];	1✔
320	$remoteAddr = str_contains($address, '[')	1✔
321	? substr($address, 1, strpos($address, ']') - 1) // IPv6	1✔
322	: explode(':', $address)[0]; // IPv4	1✔
323	}
324
325	if (isset($proxyParams['proto']) && count($proxyParams['proto']) === 1) {	1✔
326	$url->setScheme(strcasecmp($proxyParams['proto'][0], 'https') === 0 ? 'https' : 'http');	1✔
327	$url->setPort($url->getScheme() === 'https' ? 443 : 80);	1✔
328	}
329
330	if (
331	isset($proxyParams['host']) && count($proxyParams['host']) === 1	1✔
332	&& ($pair = $this->parseHostAndPort($proxyParams['host'][0]))	1✔
333	) {
334	$url->setHost($pair[0]);	1✔
335	if (isset($pair[1])) {	1✔
336	$url->setPort($pair[1]);	1✔
337	}
338	}
339	return $remoteAddr ?? null;	1✔
340	}
341
342
343	private function useNonstandardProxy(Url $url): ?string	1✔
344	{
345	if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO'])) {	1✔
346	$url->setScheme(strcasecmp($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') === 0 ? 'https' : 'http');	1✔
347	$url->setPort($url->getScheme() === 'https' ? 443 : 80);	1✔
348	}
349
350	if (!empty($_SERVER['HTTP_X_FORWARDED_PORT'])) {	1✔
351	$url->setPort((int) $_SERVER['HTTP_X_FORWARDED_PORT']);	1✔
352	}
353
354	if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {	1✔
355	$xForwardedForWithoutProxies = array_filter(	1✔
356	explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']),	1✔
357	fn(string $ip): bool => filter_var($ip = trim($ip), FILTER_VALIDATE_IP) === false	1✔
358	\|\| !Arrays::some($this->proxies, fn(string $proxy): bool => Helpers::ipMatch($ip, $proxy)),	1✔
359	);
360	if ($xForwardedForWithoutProxies) {	1✔
361	$remoteAddr = trim(end($xForwardedForWithoutProxies));	1✔
362	$xForwardedForRealIpKey = key($xForwardedForWithoutProxies);	1✔
363	}
364	}
365
366	if (isset($xForwardedForRealIpKey) && !empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {	1✔
367	$xForwardedHost = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']);	1✔
368	if (
369	isset($xForwardedHost[$xForwardedForRealIpKey])	1✔
370	&& ($pair = $this->parseHostAndPort(trim($xForwardedHost[$xForwardedForRealIpKey])))	1✔
371	) {
372	$url->setHost($pair[0]);	1✔
373	if (isset($pair[1])) {	1✔
374	$url->setPort($pair[1]);	1✔
375	}
376	}
377	}
378
379	return $remoteAddr ?? null;	1✔
380	}
381
382
383	/** @return array{string, ?int}\|null */
384	private function parseHostAndPort(string $s): ?array	1✔
385	{
386	return preg_match('#^([a-z0-9_.-]+\|\[[a-f0-9:]+])(:\d+)?$#Di', $s, $matches)	1✔
387	? [
388	rtrim(strtolower($matches[1]), '.'),	1✔
389	isset($matches[2]) ? (int) substr($matches[2], 1) : null,	1✔
390	]
391	: null;	1✔
392	}
393
394
395	/** @deprecated */
396	public function createHttpRequest(): Request
397	{
398	return $this->fromGlobals();	×
399	}
400	}

nette / http / 22293514258

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous