22837209177

Committed 09 Mar 2026 03:32AM UTC coverage: 83.513% (-0.1%) from 83.62%

Build # 22837209177

Build Type

push

github

Committed by

Commit Message

added CLAUDE.md

Run Details

932 of 1116 relevant lines covered (83.51%)

0.84 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

96.26

/src/Http/RequestFactory.php

<?php declare(strict_types=1);

/**
 * This file is part of the Nette Framework (https://nette.org)
 * Copyright (c) 2004 David Grudl (https://davidgrudl.com)
 */

namespace Nette\Http;

use Nette;
use Nette\Utils\Arrays;
use Nette\Utils\Strings;
use function array_filter, base64_encode, count, end, explode, file_get_contents, filter_input_array, filter_var, function_exists, get_debug_type, in_array, ini_get, is_array, is_string, key, min, preg_last_error, preg_match, preg_replace, preg_split, rtrim, sprintf, str_contains, strcasecmp, strlen, strncmp, strpos, strrpos, strtolower, strtr, substr, trim;
use const PHP_SAPI;


/**
 * HTTP request factory.
 */
class RequestFactory
{
        /** @internal */
        private const ValidChars = '\x09\x0A\x0D\x20-\x7E\xA0-\x{10FFFF}';

        /**
         * Regex-based filters applied to the URL before parsing. 'path' filters run on the path component only;
         * 'url' filters run on the full request URI.
         * @var array<string, array<string, string>>
         */
        public array $urlFilters = [
                'path' => ['#//#' => '/'], // '%20' => ''
                'url' => [], // '#[.,)]$#D' => ''
        ];

        private bool $binary = false;

        /** @var list<string> */
        private array $proxies = [];

        private bool $forceHttps = false;


        /**
         * Disables sanitization of request data (GET, POST, cookies, file names) for binary-safe handling.
         */
        public function setBinary(bool $binary = true): static
        {
                $this->binary = $binary;
                return $this;
        }


        /**
         * Sets the trusted proxy IP addresses or CIDR blocks used to resolve the real client IP and URL scheme.
         * @param string|list<string>  $proxy
         */
        public function setProxy($proxy): static
        {
                $this->proxies = (array) $proxy;
                return $this;
        }


        /**
         * Forces the request scheme to HTTPS regardless of the server environment.
         */
        public function setForceHttps(bool $forceHttps = true): static
        {
                $this->forceHttps = $forceHttps;
                return $this;
        }


        /**
         * Returns new Request instance, using values from superglobals.
         */
        public function fromGlobals(): Request
        {
                $url = new Url;
                $this->getServer($url);
                $this->getPathAndQuery($url);
                [$post, $cookies] = $this->getGetPostCookie($url);
                [$remoteAddr, $remoteHost] = $this->getClient($url);

                if ($this->forceHttps) {
                        $url->setScheme('https');
                }

                return new Request(
                        new UrlScript($url, $this->getScriptPath($url)),
                        $post,
                        $this->getFiles(),
                        $cookies,
                        $this->getHeaders(),
                        $this->getMethod(),
                        $remoteAddr,
                        $remoteHost,
                        fn(): string => (string) file_get_contents('php://input'),
                );
        }


        private function getServer(Url $url): void
        {
                $url->setScheme(!empty($_SERVER['HTTPS']) && strcasecmp($_SERVER['HTTPS'], 'off') ? 'https' : 'http');

                if (
                        (isset($_SERVER[$tmp = 'HTTP_HOST']) || isset($_SERVER[$tmp = 'SERVER_NAME']))
                        && ($pair = $this->parseHostAndPort($_SERVER[$tmp]))
                ) {
                        $url->setHost($pair[0]);
                        if (isset($pair[1])) {
                                $url->setPort($pair[1]);
                        } elseif ($tmp === 'SERVER_NAME' && isset($_SERVER['SERVER_PORT'])) {
                                $url->setPort((int) $_SERVER['SERVER_PORT']);
                        }
                }
        }


        private function getPathAndQuery(Url $url): void
        {
                $requestUrl = $_SERVER['REQUEST_URI'] ?? '/';
                $requestUrl = preg_replace('#^\w++://[^/]++#', '', $requestUrl);
                $requestUrl = Strings::replace($requestUrl, $this->urlFilters['url']);

                $tmp = explode('?', $requestUrl, 2);
                $path = Url::unescape($tmp[0], '%/?#');
                $path = Strings::fixEncoding(Strings::replace($path, $this->urlFilters['path']));
                $url->setPath($path);
                $url->setQuery($tmp[1] ?? '');
        }


        private function getScriptPath(Url $url): string
        {
                if (PHP_SAPI === 'cli-server') {
                        return '/';
                }

                $path = $url->getPath();
                $lpath = strtolower($path);
                $script = strtolower($_SERVER['SCRIPT_NAME'] ?? '');
                if ($lpath !== $script) {
                        $max = min(strlen($lpath), strlen($script));
                        for ($i = 0; $i < $max && $lpath[$i] === $script[$i]; $i++);
                        $path = $i
                                ? substr($path, 0, strrpos($path, '/', $i - strlen($path) - 1) + 1)
                                : '/';
                }

                return $path;
        }


        /** @return array{mixed[], mixed[]} */
        private function getGetPostCookie(Url $url): array
        {
                $useFilter = (!in_array((string) ini_get('filter.default'), ['', 'unsafe_raw'], strict: true) || ini_get('filter.default_flags'));

                $query = $url->getQueryParameters();
                $post = $useFilter
                        ? filter_input_array(INPUT_POST, FILTER_UNSAFE_RAW)
                        : (empty($_POST) ? [] : $_POST);
                $cookies = $useFilter
                        ? filter_input_array(INPUT_COOKIE, FILTER_UNSAFE_RAW)
                        : (empty($_COOKIE) ? [] : $_COOKIE);

                // remove invalid characters
                $reChars = '#^[' . self::ValidChars . ']*+$#Du';
                if (!$this->binary) {
                        $list = [&$query, &$post, &$cookies];
                        foreach ($list as $key => &$val) {
                                foreach ($val as $k => $v) {
                                        if (is_string($k) && (!preg_match($reChars, $k) || preg_last_error())) {
                                                unset($list[$key][$k]);

                                        } elseif (is_array($v)) {
                                                $list[$key][$k] = $v;
                                                $list[] = &$list[$key][$k];

                                        } elseif (is_string($v)) {
                                                $list[$key][$k] = (string) preg_replace('#[^' . self::ValidChars . ']+#u', '', $v);

                                        } else {
                                                throw new Nette\InvalidStateException(sprintf('Invalid value in $_POST/$_COOKIE in key %s, expected string, %s given.', "'$k'", get_debug_type($v)));
                                        }
                                }
                        }

                        unset($list, $key, $val, $k, $v);
                }

                $url->setQuery($query);
                return [$post, $cookies];
        }


        /** @return mixed[] */
        private function getFiles(): array
        {
                $reChars = '#^[' . self::ValidChars . ']*+$#Du';
                $files = [];
                $list = [];
                foreach ($_FILES ?? [] as $k => $v) {
                        if (
                                !is_array($v)
                                || !isset($v['name'], $v['type'], $v['size'], $v['tmp_name'], $v['error'])
                                || (!$this->binary && is_string($k) && (!preg_match($reChars, $k) || preg_last_error()))
                        ) {
                                continue;
                        }

                        $v['@'] = &$files[$k];
                        $list[] = $v;
                }

                // create FileUpload objects
                foreach ($list as &$v) {
                        if (!isset($v['name'])) {
                                continue;

                        } elseif (!is_array($v['name'])) {
                                if (!$this->binary && (!preg_match($reChars, $v['name']) || preg_last_error())) {
                                        $v['name'] = '';
                                }

                                if ($v['error'] !== UPLOAD_ERR_NO_FILE) {
                                        $v['@'] = new FileUpload($v);
                                }

                                continue;
                        }

                        foreach ($v['name'] as $k => $foo) {
                                if (!$this->binary && is_string($k) && (!preg_match($reChars, $k) || preg_last_error())) {
                                        continue;
                                }

                                $list[] = [
                                        'name' => $v['name'][$k],
                                        'type' => $v['type'][$k],
                                        'size' => $v['size'][$k],
                                        'full_path' => $v['full_path'][$k] ?? null,
                                        'tmp_name' => $v['tmp_name'][$k],
                                        'error' => $v['error'][$k],
                                        '@' => &$v['@'][$k],
                                ];
                        }
                }

                return $files;
        }


        /** @return array<string, string> */
        private function getHeaders(): array
        {
                if (function_exists('apache_request_headers')) {
                        $headers = apache_request_headers();
                } else {
                        $headers = [];
                        foreach ($_SERVER as $k => $v) {
                                if (str_starts_with($k, 'HTTP_')) {
                                        $k = substr($k, 5);
                                } elseif (strncmp($k, 'CONTENT_', 8)) {
                                        continue;
                                }

                                $headers[strtr($k, '_', '-')] = $v;
                        }
                }

                if (!isset($headers['Authorization'])) {
                        if (isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {
                                $headers['Authorization'] = 'Basic ' . base64_encode($_SERVER['PHP_AUTH_USER'] . ':' . $_SERVER['PHP_AUTH_PW']);
                        } elseif (isset($_SERVER['PHP_AUTH_DIGEST'])) {
                                $headers['Authorization'] = 'Digest ' . $_SERVER['PHP_AUTH_DIGEST'];
                        }
                }

                return $headers;
        }


        private function getMethod(): string
        {
                $method = $_SERVER['REQUEST_METHOD'] ?? 'GET';
                if (
                        $method === 'POST'
                        && preg_match('#^[A-Z]+$#D', $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ?? '')
                ) {
                        $method = $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'];
                }

                return $method;
        }


        /** @return array{?string, ?string}  [remoteAddr, remoteHost] */
        private function getClient(Url $url): array
        {
                $remoteAddr = !empty($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : null;

                // use real client address and host if trusted proxy is used
                $usingTrustedProxy = $remoteAddr && Arrays::some($this->proxies, fn(string $proxy): bool => Helpers::ipMatch($remoteAddr, $proxy));
                if ($usingTrustedProxy) {
                        $remoteHost = null;
                        $remoteAddr = empty($_SERVER['HTTP_FORWARDED'])
                                ? $this->useNonstandardProxy($url)
                                : $this->useForwardedProxy($url);

                } else {
                        $remoteHost = !empty($_SERVER['REMOTE_HOST']) ? $_SERVER['REMOTE_HOST'] : null;
                }

                return [$remoteAddr, $remoteHost];
        }


        private function useForwardedProxy(Url $url): ?string
        {
                $forwardParams = preg_split('/[,;]/', $_SERVER['HTTP_FORWARDED']);
                foreach ($forwardParams as $forwardParam) {
                        [$key, $value] = explode('=', $forwardParam, 2) + [1 => ''];
                        $proxyParams[strtolower(trim($key))][] = trim($value, " \t\"");
                }

                if (isset($proxyParams['for'])) {
                        $address = $proxyParams['for'][0];
                        $remoteAddr = str_contains($address, '[')
                                ? substr($address, 1, strpos($address, ']') - 1) // IPv6
                                : explode(':', $address)[0];  // IPv4
                }

                if (isset($proxyParams['proto']) && count($proxyParams['proto']) === 1) {
                        $url->setScheme(strcasecmp($proxyParams['proto'][0], 'https') === 0 ? 'https' : 'http');
                        $url->setPort($url->getScheme() === 'https' ? 443 : 80);
                }

                if (
                        isset($proxyParams['host']) && count($proxyParams['host']) === 1
                        && ($pair = $this->parseHostAndPort($proxyParams['host'][0]))
                ) {
                        $url->setHost($pair[0]);
                        if (isset($pair[1])) {
                                $url->setPort($pair[1]);
                        }
                }
                return $remoteAddr ?? null;
        }


        private function useNonstandardProxy(Url $url): ?string
        {
                if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
                        $url->setScheme(strcasecmp($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') === 0 ? 'https' : 'http');
                        $url->setPort($url->getScheme() === 'https' ? 443 : 80);
                }

                if (!empty($_SERVER['HTTP_X_FORWARDED_PORT'])) {
                        $url->setPort((int) $_SERVER['HTTP_X_FORWARDED_PORT']);
                }

                if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                        $xForwardedForWithoutProxies = array_filter(
                                explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']),
                                fn(string $ip): bool => filter_var($ip = trim($ip), FILTER_VALIDATE_IP) === false
                                        || !Arrays::some($this->proxies, fn(string $proxy): bool => Helpers::ipMatch($ip, $proxy)),
                        );
                        if ($xForwardedForWithoutProxies) {
                                $remoteAddr = trim(end($xForwardedForWithoutProxies));
                                $xForwardedForRealIpKey = key($xForwardedForWithoutProxies);
                        }
                }

                if (isset($xForwardedForRealIpKey) && !empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
                        $xForwardedHost = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']);
                        if (
                                isset($xForwardedHost[$xForwardedForRealIpKey])
                                && ($pair = $this->parseHostAndPort(trim($xForwardedHost[$xForwardedForRealIpKey])))
                        ) {
                                $url->setHost($pair[0]);
                                if (isset($pair[1])) {
                                        $url->setPort($pair[1]);
                                }
                        }
                }

                return $remoteAddr ?? null;
        }


        /** @return array{string, ?int}|null */
        private function parseHostAndPort(string $s): ?array
        {
                return preg_match('#^([a-z0-9_.-]+|\[[a-f0-9:]+])(:\d+)?$#Di', $s, $matches)
                        ? [
                                rtrim(strtolower($matches[1]), '.'),
                                isset($matches[2]) ? (int) substr($matches[2], 1) : null,
                        ]
                        : null;
        }


        /** @deprecated */
        public function createHttpRequest(): Request
        {
                return $this->fromGlobals();
        }
}

1	<?php declare(strict_types=1);
2
3	/**
4	* This file is part of the Nette Framework (https://nette.org)
5	* Copyright (c) 2004 David Grudl (https://davidgrudl.com)
6	*/
7
8	namespace Nette\Http;
9
10	use Nette;
11	use Nette\Utils\Arrays;
12	use Nette\Utils\Strings;
13	use function array_filter, base64_encode, count, end, explode, file_get_contents, filter_input_array, filter_var, function_exists, get_debug_type, in_array, ini_get, is_array, is_string, key, min, preg_last_error, preg_match, preg_replace, preg_split, rtrim, sprintf, str_contains, strcasecmp, strlen, strncmp, strpos, strrpos, strtolower, strtr, substr, trim;
14	use const PHP_SAPI;
15
16
17	/**
18	* HTTP request factory.
19	*/
20	class RequestFactory
21	{
22	/** @internal */
23	private const ValidChars = '\x09\x0A\x0D\x20-\x7E\xA0-\x{10FFFF}';
24
25	/**
26	* Regex-based filters applied to the URL before parsing. 'path' filters run on the path component only;
27	* 'url' filters run on the full request URI.
28	* @var array<string, array<string, string>>
29	*/
30	public array $urlFilters = [
31	'path' => ['#//#' => '/'], // '%20' => ''
32	'url' => [], // '#[.,)]$#D' => ''
33	];
34
35	private bool $binary = false;
36
37	/** @var list<string> */
38	private array $proxies = [];
39
40	private bool $forceHttps = false;
41
42
43	/**
44	* Disables sanitization of request data (GET, POST, cookies, file names) for binary-safe handling.
45	*/
46	public function setBinary(bool $binary = true): static	1✔
47	{
48	$this->binary = $binary;	1✔
49	return $this;	1✔
50	}
51
52
53	/**
54	* Sets the trusted proxy IP addresses or CIDR blocks used to resolve the real client IP and URL scheme.
55	* @param string\|list<string> $proxy
56	*/
57	public function setProxy($proxy): static
58	{
59	$this->proxies = (array) $proxy;	1✔
60	return $this;	1✔
61	}
62
63
64	/**
65	* Forces the request scheme to HTTPS regardless of the server environment.
66	*/
67	public function setForceHttps(bool $forceHttps = true): static	1✔
68	{
69	$this->forceHttps = $forceHttps;	1✔
70	return $this;	1✔
71	}
72
73
74	/**
75	* Returns new Request instance, using values from superglobals.
76	*/
77	public function fromGlobals(): Request
78	{
79	$url = new Url;	1✔
80	$this->getServer($url);	1✔
81	$this->getPathAndQuery($url);	1✔
82	[$post, $cookies] = $this->getGetPostCookie($url);	1✔
83	[$remoteAddr, $remoteHost] = $this->getClient($url);	1✔
84
85	if ($this->forceHttps) {	1✔
86	$url->setScheme('https');	1✔
87	}
88
89	return new Request(	1✔
90	new UrlScript($url, $this->getScriptPath($url)),	1✔
91	$post,
92	$this->getFiles(),	1✔
93	$cookies,
94	$this->getHeaders(),	1✔
95	$this->getMethod(),	1✔
96	$remoteAddr,
97	$remoteHost,
98	fn(): string => (string) file_get_contents('php://input'),	1✔
99	);
100	}
101
102
103	private function getServer(Url $url): void	1✔
104	{
105	$url->setScheme(!empty($_SERVER['HTTPS']) && strcasecmp($_SERVER['HTTPS'], 'off') ? 'https' : 'http');	1✔
106
107	if (
108	(isset($_SERVER[$tmp = 'HTTP_HOST']) \|\| isset($_SERVER[$tmp = 'SERVER_NAME']))	1✔
109	&& ($pair = $this->parseHostAndPort($_SERVER[$tmp]))	1✔
110	) {
111	$url->setHost($pair[0]);	1✔
112	if (isset($pair[1])) {	1✔
113	$url->setPort($pair[1]);	1✔
114	} elseif ($tmp === 'SERVER_NAME' && isset($_SERVER['SERVER_PORT'])) {	1✔
115	$url->setPort((int) $_SERVER['SERVER_PORT']);	1✔
116	}
117	}
118	}	1✔
119
120
121	private function getPathAndQuery(Url $url): void	1✔
122	{
123	$requestUrl = $_SERVER['REQUEST_URI'] ?? '/';	1✔
124	$requestUrl = preg_replace('#^\w++://[^/]++#', '', $requestUrl);	1✔
125	$requestUrl = Strings::replace($requestUrl, $this->urlFilters['url']);	1✔
126
127	$tmp = explode('?', $requestUrl, 2);	1✔
128	$path = Url::unescape($tmp[0], '%/?#');	1✔
129	$path = Strings::fixEncoding(Strings::replace($path, $this->urlFilters['path']));	1✔
130	$url->setPath($path);	1✔
131	$url->setQuery($tmp[1] ?? '');	1✔
132	}	1✔
133
134
135	private function getScriptPath(Url $url): string	1✔
136	{
137	if (PHP_SAPI === 'cli-server') {	1✔
138	return '/';	×
139	}
140
141	$path = $url->getPath();	1✔
142	$lpath = strtolower($path);	1✔
143	$script = strtolower($_SERVER['SCRIPT_NAME'] ?? '');	1✔
144	if ($lpath !== $script) {	1✔
145	$max = min(strlen($lpath), strlen($script));	1✔
146	for ($i = 0; $i < $max && $lpath[$i] === $script[$i]; $i++);	1✔
147	$path = $i	1✔
148	? substr($path, 0, strrpos($path, '/', $i - strlen($path) - 1) + 1)	1✔
149	: '/';	1✔
150	}
151
152	return $path;	1✔
153	}
154
155
156	/** @return array{mixed[], mixed[]} */
157	private function getGetPostCookie(Url $url): array	1✔
158	{
159	$useFilter = (!in_array((string) ini_get('filter.default'), ['', 'unsafe_raw'], strict: true) \|\| ini_get('filter.default_flags'));	1✔
160
161	$query = $url->getQueryParameters();	1✔
162	$post = $useFilter	1✔
163	? filter_input_array(INPUT_POST, FILTER_UNSAFE_RAW)	×
164	: (empty($_POST) ? [] : $_POST);	1✔
165	$cookies = $useFilter	1✔
166	? filter_input_array(INPUT_COOKIE, FILTER_UNSAFE_RAW)	×
167	: (empty($_COOKIE) ? [] : $_COOKIE);	1✔
168
169	// remove invalid characters
170	$reChars = '#^[' . self::ValidChars . ']*+$#Du';	1✔
171	if (!$this->binary) {	1✔
172	$list = [&$query, &$post, &$cookies];	1✔
173	foreach ($list as $key => &$val) {	1✔
174	foreach ($val as $k => $v) {	1✔
175	if (is_string($k) && (!preg_match($reChars, $k) \|\| preg_last_error())) {	1✔
176	unset($list[$key][$k]);	1✔
177
178	} elseif (is_array($v)) {	1✔
179	$list[$key][$k] = $v;	1✔
180	$list[] = &$list[$key][$k];	1✔
181
182	} elseif (is_string($v)) {	1✔
183	$list[$key][$k] = (string) preg_replace('#[^' . self::ValidChars . ']+#u', '', $v);	1✔
184
185	} else {
186	throw new Nette\InvalidStateException(sprintf('Invalid value in $_POST/$_COOKIE in key %s, expected string, %s given.', "'$k'", get_debug_type($v)));	1✔
187	}
188	}
189	}
190
191	unset($list, $key, $val, $k, $v);	1✔
192	}
193
194	$url->setQuery($query);	1✔
195	return [$post, $cookies];	1✔
196	}
197
198
199	/** @return mixed[] */
200	private function getFiles(): array
201	{
202	$reChars = '#^[' . self::ValidChars . ']*+$#Du';	1✔
203	$files = [];	1✔
204	$list = [];	1✔
205	foreach ($_FILES ?? [] as $k => $v) {	1✔
206	if (
207	!is_array($v)	1✔
208	\|\| !isset($v['name'], $v['type'], $v['size'], $v['tmp_name'], $v['error'])	1✔
209	\|\| (!$this->binary && is_string($k) && (!preg_match($reChars, $k) \|\| preg_last_error()))	1✔
210	) {
211	continue;	1✔
212	}
213
214	$v['@'] = &$files[$k];	1✔
215	$list[] = $v;	1✔
216	}
217
218	// create FileUpload objects
219	foreach ($list as &$v) {	1✔
220	if (!isset($v['name'])) {	1✔
221	continue;	×
222
223	} elseif (!is_array($v['name'])) {	1✔
224	if (!$this->binary && (!preg_match($reChars, $v['name']) \|\| preg_last_error())) {	1✔
225	$v['name'] = '';	1✔
226	}
227
228	if ($v['error'] !== UPLOAD_ERR_NO_FILE) {	1✔
229	$v['@'] = new FileUpload($v);	1✔
230	}
231
232	continue;	1✔
233	}
234
235	foreach ($v['name'] as $k => $foo) {	1✔
236	if (!$this->binary && is_string($k) && (!preg_match($reChars, $k) \|\| preg_last_error())) {	1✔
237	continue;	×
238	}
239
240	$list[] = [	1✔
241	'name' => $v['name'][$k],	1✔
242	'type' => $v['type'][$k],	1✔
243	'size' => $v['size'][$k],	1✔
244	'full_path' => $v['full_path'][$k] ?? null,	1✔
245	'tmp_name' => $v['tmp_name'][$k],	1✔
246	'error' => $v['error'][$k],	1✔
247	'@' => &$v['@'][$k],	1✔
248	];
249	}
250	}
251
252	return $files;	1✔
253	}
254
255
256	/** @return array<string, string> */
257	private function getHeaders(): array
258	{
259	if (function_exists('apache_request_headers')) {	1✔
260	$headers = apache_request_headers();	×
261	} else {
262	$headers = [];	1✔
263	foreach ($_SERVER as $k => $v) {	1✔
264	if (str_starts_with($k, 'HTTP_')) {	1✔
265	$k = substr($k, 5);	1✔
266	} elseif (strncmp($k, 'CONTENT_', 8)) {	1✔
267	continue;	1✔
268	}
269
270	$headers[strtr($k, '_', '-')] = $v;	1✔
271	}
272	}
273
274	if (!isset($headers['Authorization'])) {	1✔
275	if (isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {	1✔
276	$headers['Authorization'] = 'Basic ' . base64_encode($_SERVER['PHP_AUTH_USER'] . ':' . $_SERVER['PHP_AUTH_PW']);	1✔
277	} elseif (isset($_SERVER['PHP_AUTH_DIGEST'])) {	1✔
278	$headers['Authorization'] = 'Digest ' . $_SERVER['PHP_AUTH_DIGEST'];	1✔
279	}
280	}
281
282	return $headers;	1✔
283	}
284
285
286	private function getMethod(): string
287	{
288	$method = $_SERVER['REQUEST_METHOD'] ?? 'GET';	1✔
289	if (
290	$method === 'POST'	1✔
291	&& preg_match('#^[A-Z]+$#D', $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ?? '')	1✔
292	) {
293	$method = $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'];	1✔
294	}
295
296	return $method;	1✔
297	}
298
299
300	/** @return array{?string, ?string} [remoteAddr, remoteHost] */
301	private function getClient(Url $url): array	1✔
302	{
303	$remoteAddr = !empty($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : null;	1✔
304
305	// use real client address and host if trusted proxy is used
306	$usingTrustedProxy = $remoteAddr && Arrays::some($this->proxies, fn(string $proxy): bool => Helpers::ipMatch($remoteAddr, $proxy));	1✔
307	if ($usingTrustedProxy) {	1✔
308	$remoteHost = null;	1✔
309	$remoteAddr = empty($_SERVER['HTTP_FORWARDED'])	1✔
310	? $this->useNonstandardProxy($url)	1✔
311	: $this->useForwardedProxy($url);	1✔
312
313	} else {
314	$remoteHost = !empty($_SERVER['REMOTE_HOST']) ? $_SERVER['REMOTE_HOST'] : null;	1✔
315	}
316
317	return [$remoteAddr, $remoteHost];	1✔
318	}
319
320
321	private function useForwardedProxy(Url $url): ?string	1✔
322	{
323	$forwardParams = preg_split('/[,;]/', $_SERVER['HTTP_FORWARDED']);	1✔
324	foreach ($forwardParams as $forwardParam) {	1✔
325	[$key, $value] = explode('=', $forwardParam, 2) + [1 => ''];	1✔
326	$proxyParams[strtolower(trim($key))][] = trim($value, " \t\"");	1✔
327	}
328
329	if (isset($proxyParams['for'])) {	1✔
330	$address = $proxyParams['for'][0];	1✔
331	$remoteAddr = str_contains($address, '[')	1✔
332	? substr($address, 1, strpos($address, ']') - 1) // IPv6	1✔
333	: explode(':', $address)[0]; // IPv4	1✔
334	}
335
336	if (isset($proxyParams['proto']) && count($proxyParams['proto']) === 1) {	1✔
337	$url->setScheme(strcasecmp($proxyParams['proto'][0], 'https') === 0 ? 'https' : 'http');	1✔
338	$url->setPort($url->getScheme() === 'https' ? 443 : 80);	1✔
339	}
340
341	if (
342	isset($proxyParams['host']) && count($proxyParams['host']) === 1	1✔
343	&& ($pair = $this->parseHostAndPort($proxyParams['host'][0]))	1✔
344	) {
345	$url->setHost($pair[0]);	1✔
346	if (isset($pair[1])) {	1✔
347	$url->setPort($pair[1]);	1✔
348	}
349	}
350	return $remoteAddr ?? null;	1✔
351	}
352
353
354	private function useNonstandardProxy(Url $url): ?string	1✔
355	{
356	if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO'])) {	1✔
357	$url->setScheme(strcasecmp($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') === 0 ? 'https' : 'http');	1✔
358	$url->setPort($url->getScheme() === 'https' ? 443 : 80);	1✔
359	}
360
361	if (!empty($_SERVER['HTTP_X_FORWARDED_PORT'])) {	1✔
362	$url->setPort((int) $_SERVER['HTTP_X_FORWARDED_PORT']);	1✔
363	}
364
365	if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {	1✔
366	$xForwardedForWithoutProxies = array_filter(	1✔
367	explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']),	1✔
368	fn(string $ip): bool => filter_var($ip = trim($ip), FILTER_VALIDATE_IP) === false	1✔
369	\|\| !Arrays::some($this->proxies, fn(string $proxy): bool => Helpers::ipMatch($ip, $proxy)),	1✔
370	);
371	if ($xForwardedForWithoutProxies) {	1✔
372	$remoteAddr = trim(end($xForwardedForWithoutProxies));	1✔
373	$xForwardedForRealIpKey = key($xForwardedForWithoutProxies);	1✔
374	}
375	}
376
377	if (isset($xForwardedForRealIpKey) && !empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {	1✔
378	$xForwardedHost = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']);	1✔
379	if (
380	isset($xForwardedHost[$xForwardedForRealIpKey])	1✔
381	&& ($pair = $this->parseHostAndPort(trim($xForwardedHost[$xForwardedForRealIpKey])))	1✔
382	) {
383	$url->setHost($pair[0]);	1✔
384	if (isset($pair[1])) {	1✔
385	$url->setPort($pair[1]);	1✔
386	}
387	}
388	}
389
390	return $remoteAddr ?? null;	1✔
391	}
392
393
394	/** @return array{string, ?int}\|null */
395	private function parseHostAndPort(string $s): ?array	1✔
396	{
397	return preg_match('#^([a-z0-9_.-]+\|\[[a-f0-9:]+])(:\d+)?$#Di', $s, $matches)	1✔
398	? [
399	rtrim(strtolower($matches[1]), '.'),	1✔
400	isset($matches[2]) ? (int) substr($matches[2], 1) : null,	1✔
401	]
402	: null;	1✔
403	}
404
405
406	/** @deprecated */
407	public function createHttpRequest(): Request
408	{
409	return $this->fromGlobals();	×
410	}
411	}

nette / http / 22837209177

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous