26789697442

Committed 01 Jun 2026 11:59PM UTC coverage: 83.912% (+0.06%) from 83.853%

Build Type

push

github

Committed by

Commit Message

Helpers: added expirationToSeconds() unifying expiration handling

A numeric value is now always treated as a relative interval in seconds
(avoiding the ambiguous one-year threshold in DateTime::from()), a
DateTimeInterface as an absolute time, and a textual string is resolved by
strtotime(). null means a session lifetime; a time in the past is clamped to 0
(immediate deletion). A falsy value (0, '0', '') is kept as a session lifetime
for BC but is now deprecated in favour of null. Session::setExpiration() rejects
an expiration in the past. Used by Response and Session cookie/expiration methods.

Coverage Stats

25 of 33 new or added lines in 4 files covered. (75.76%)

2 existing lines in 2 files now uncovered.

1064 of 1268 relevant lines covered (83.91%)

0.84 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

96.28

/src/Http/RequestFactory.php

<?php declare(strict_types=1);

/**
 * This file is part of the Nette Framework (https://nette.org)
 * Copyright (c) 2004 David Grudl (https://davidgrudl.com)
 */

namespace Nette\Http;

use Nette;
use Nette\Utils\Arrays;
use Nette\Utils\Strings;
use function array_filter, base64_encode, count, end, explode, file_get_contents, filter_input_array, function_exists, get_debug_type, in_array, ini_get, is_array, is_string, key, min, preg_last_error, preg_match, preg_replace, preg_split, rtrim, sprintf, str_contains, strcasecmp, strlen, strncmp, strpos, strrpos, strtolower, strtr, substr, trim;
use const PHP_SAPI;


/**
 * HTTP request factory.
 */
class RequestFactory
{
        /** @internal */
        private const ValidChars = '\x09\x0A\x0D\x20-\x7E\xA0-\x{10FFFF}';

        /**
         * Regex-based filters applied to the URL before parsing. 'path' filters run on the path component only;
         * 'url' filters run on the full request URI.
         * @var array<string, array<string, string>>
         */
        public array $urlFilters = [
                'path' => ['#//#' => '/'], // '%20' => ''
                'url' => [], // '#[.,)]$#D' => ''
        ];

        private bool $binary = false;
        private bool $forceHttps = false;

        /** @var list<string> */
        private array $proxies = [];


        /**
         * Disables sanitization of request data (GET, POST, cookies, file names) for binary-safe handling.
         */
        public function setBinary(bool $binary = true): static
        {
                $this->binary = $binary;
                return $this;
        }


        /**
         * Sets the trusted proxy IP addresses or CIDR blocks used to resolve the real client IP and URL scheme.
         * @param string|list<string>  $proxy
         */
        public function setProxy(string|array $proxy): static
        {
                $this->proxies = (array) $proxy;
                return $this;
        }


        /**
         * Forces the request scheme to HTTPS regardless of the server environment.
         */
        public function setForceHttps(bool $forceHttps = true): static
        {
                $this->forceHttps = $forceHttps;
                return $this;
        }


        /**
         * Returns new Request instance, using values from superglobals.
         */
        public function fromGlobals(): Request
        {
                $url = new Url;
                $this->getServer($url);
                $this->getPathAndQuery($url);
                [$post, $cookies] = $this->getGetPostCookie($url);
                $remoteAddr = $this->getClient($url);
                if ($this->forceHttps) {
                        $url->setScheme('https');
                }

                return new Request(
                        new UrlScript($url, $this->getScriptPath($url)),
                        $post,
                        $this->getFiles(),
                        $cookies,
                        $this->getHeaders(),
                        $this->getMethod(),
                        $remoteAddr,
                        null,
                        fn() => (string) file_get_contents('php://input'),
                );
        }


        private function getServer(Url $url): void
        {
                $url->setScheme(!empty($_SERVER['HTTPS']) && strcasecmp($_SERVER['HTTPS'], 'off') ? 'https' : 'http');

                if (
                        (isset($_SERVER[$tmp = 'HTTP_HOST']) || isset($_SERVER[$tmp = 'SERVER_NAME']))
                        && ($pair = $this->parseHostAndPort($_SERVER[$tmp]))
                ) {
                        $url->setHost($pair[0]);
                        if (isset($pair[1])) {
                                $url->setPort($pair[1]);
                        } elseif ($tmp === 'SERVER_NAME' && isset($_SERVER['SERVER_PORT'])) {
                                $url->setPort((int) $_SERVER['SERVER_PORT']);
                        }
                }
        }


        private function getPathAndQuery(Url $url): void
        {
                $requestUrl = $_SERVER['REQUEST_URI'] ?? '/';
                $requestUrl = preg_replace('#^\w++://[^/]++#', '', $requestUrl);
                $requestUrl = Strings::replace($requestUrl, $this->urlFilters['url']);

                $tmp = explode('?', $requestUrl, 2);
                $path = Url::unescape($tmp[0], '%/?#');
                $path = Strings::fixEncoding(Strings::replace($path, $this->urlFilters['path']));
                $url->setPath($path);
                $url->setQuery($tmp[1] ?? '');
        }


        private function getScriptPath(Url $url): string
        {
                if (PHP_SAPI === 'cli-server') {
                        return '/';
                }

                $path = $url->getPath();
                $lpath = strtolower($path);
                $script = strtolower($_SERVER['SCRIPT_NAME'] ?? '');
                if ($lpath !== $script) {
                        $max = min(strlen($lpath), strlen($script));
                        for ($i = 0; $i < $max && $lpath[$i] === $script[$i]; $i++);
                        $path = $i
                                ? substr($path, 0, strrpos($path, '/', $i - strlen($path) - 1) + 1)
                                : '/';
                }

                return $path;
        }


        /** @return array{mixed[], mixed[]} */
        private function getGetPostCookie(Url $url): array
        {
                $useFilter = (!in_array((string) ini_get('filter.default'), ['', 'unsafe_raw'], strict: true) || ini_get('filter.default_flags'));

                $query = $url->getQueryParameters();
                $post = $useFilter
                        ? filter_input_array(INPUT_POST, FILTER_UNSAFE_RAW)
                        : (empty($_POST) ? [] : $_POST);
                $cookies = $useFilter
                        ? filter_input_array(INPUT_COOKIE, FILTER_UNSAFE_RAW)
                        : (empty($_COOKIE) ? [] : $_COOKIE);

                // remove invalid characters
                $reChars = '#^[' . self::ValidChars . ']*+$#Du';
                if (!$this->binary) {
                        $list = [&$query, &$post, &$cookies];
                        foreach ($list as $key => &$val) {
                                foreach ($val as $k => $v) {
                                        if (is_string($k) && (!preg_match($reChars, $k) || preg_last_error())) {
                                                unset($list[$key][$k]);

                                        } elseif (is_array($v)) {
                                                $list[$key][$k] = $v;
                                                $list[] = &$list[$key][$k];

                                        } elseif (is_string($v)) {
                                                $list[$key][$k] = (string) preg_replace('#[^' . self::ValidChars . ']+#u', '', $v);

                                        } else {
                                                throw new Nette\InvalidStateException(sprintf('Invalid value in $_POST/$_COOKIE in key %s, expected string, %s given.', "'$k'", get_debug_type($v)));
                                        }
                                }
                        }

                        unset($list, $key, $val, $k, $v);
                }

                $url->setQuery($query);
                return [$post, $cookies];
        }


        /** @return mixed[] */
        private function getFiles(): array
        {
                $reChars = '#^[' . self::ValidChars . ']*+$#Du';
                $files = [];
                $list = [];
                foreach ($_FILES ?? [] as $k => $v) {
                        if (
                                !is_array($v)
                                || !isset($v['name'], $v['type'], $v['size'], $v['tmp_name'], $v['error'])
                                || (!$this->binary && is_string($k) && (!preg_match($reChars, $k) || preg_last_error()))
                        ) {
                                continue;
                        }

                        $v['@'] = &$files[$k];
                        $list[] = $v;
                }

                // create FileUpload objects
                foreach ($list as &$v) {
                        if (!isset($v['name'])) {
                                continue;

                        } elseif (!is_array($v['name'])) {
                                if (!$this->binary && (!preg_match($reChars, $v['name']) || preg_last_error())) {
                                        $v['name'] = '';
                                }

                                if ($v['error'] !== UPLOAD_ERR_NO_FILE) {
                                        $v['@'] = new FileUpload($v);
                                }

                                continue;
                        }

                        foreach ($v['name'] as $k => $foo) {
                                if (!$this->binary && is_string($k) && (!preg_match($reChars, $k) || preg_last_error())) {
                                        continue;
                                }

                                $list[] = [
                                        'name' => $v['name'][$k],
                                        'type' => $v['type'][$k],
                                        'size' => $v['size'][$k],
                                        'full_path' => $v['full_path'][$k] ?? null,
                                        'tmp_name' => $v['tmp_name'][$k],
                                        'error' => $v['error'][$k],
                                        '@' => &$v['@'][$k],
                                ];
                        }
                }

                return $files;
        }


        /** @return array<string, string> */
        private function getHeaders(): array
        {
                if (function_exists('apache_request_headers')) {
                        $headers = apache_request_headers() ?: [];
                } else {
                        $headers = [];
                        foreach ($_SERVER as $k => $v) {
                                if (str_starts_with($k, 'HTTP_')) {
                                        $k = substr($k, 5);
                                } elseif (strncmp($k, 'CONTENT_', 8)) {
                                        continue;
                                }

                                $headers[strtr($k, '_', '-')] = $v;
                        }
                }

                if (!isset($headers['Authorization'])) {
                        if (isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {
                                $headers['Authorization'] = 'Basic ' . base64_encode($_SERVER['PHP_AUTH_USER'] . ':' . $_SERVER['PHP_AUTH_PW']);
                        } elseif (isset($_SERVER['PHP_AUTH_DIGEST'])) {
                                $headers['Authorization'] = 'Digest ' . $_SERVER['PHP_AUTH_DIGEST'];
                        }
                }

                return $headers;
        }


        private function getMethod(): string
        {
                $method = $_SERVER['REQUEST_METHOD'] ?? 'GET';
                if (
                        $method === 'POST'
                        && preg_match('#^[A-Z]+$#D', $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ?? '')
                ) {
                        $method = $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'];
                }

                return $method;
        }


        private function getClient(Url $url): ?string
        {
                $remoteAddr = !empty($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : null;

                // use real client address if trusted proxy is used
                $client = $remoteAddr ? IPAddress::tryFrom($remoteAddr) : null;
                $usingTrustedProxy = $client && Arrays::some($this->proxies, fn(string $proxy): bool => $client->isInRange($proxy));
                if ($usingTrustedProxy) {
                        return empty($_SERVER['HTTP_FORWARDED'])
                                ? $this->useNonstandardProxy($url)
                                : $this->useForwardedProxy($url);
                }

                return $remoteAddr;
        }


        private function useForwardedProxy(Url $url): ?string
        {
                $forwardParams = preg_split('/[,;]/', $_SERVER['HTTP_FORWARDED']);
                foreach ($forwardParams as $forwardParam) {
                        [$key, $value] = explode('=', $forwardParam, 2) + [1 => ''];
                        $proxyParams[strtolower(trim($key))][] = trim($value, " \t\"");
                }

                if (isset($proxyParams['for'])) {
                        $address = $proxyParams['for'][0];
                        $remoteAddr = str_contains($address, '[')
                                ? substr($address, 1, strpos($address, ']') - 1) // IPv6
                                : explode(':', $address)[0];  // IPv4
                }

                if (isset($proxyParams['proto']) && count($proxyParams['proto']) === 1) {
                        $url->setScheme(strcasecmp($proxyParams['proto'][0], 'https') === 0 ? 'https' : 'http');
                        $url->setPort($url->getScheme() === 'https' ? 443 : 80);
                }

                if (
                        isset($proxyParams['host']) && count($proxyParams['host']) === 1
                        && ($pair = $this->parseHostAndPort($proxyParams['host'][0]))
                ) {
                        $url->setHost($pair[0]);
                        if (isset($pair[1])) {
                                $url->setPort($pair[1]);
                        }
                }
                return $remoteAddr ?? null;
        }


        private function useNonstandardProxy(Url $url): ?string
        {
                if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
                        $url->setScheme(strcasecmp($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') === 0 ? 'https' : 'http');
                        $url->setPort($url->getScheme() === 'https' ? 443 : 80);
                }

                if (!empty($_SERVER['HTTP_X_FORWARDED_PORT'])) {
                        $url->setPort((int) $_SERVER['HTTP_X_FORWARDED_PORT']);
                }

                if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                        $xForwardedForWithoutProxies = array_filter(
                                explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']),
                                fn(string $ip): bool => ($address = IPAddress::tryFrom(trim($ip))) === null
                                        || !Arrays::some($this->proxies, fn(string $proxy): bool => $address->isInRange($proxy)),
                        );
                        if ($xForwardedForWithoutProxies) {
                                $remoteAddr = trim(end($xForwardedForWithoutProxies));
                                $xForwardedForRealIpKey = key($xForwardedForWithoutProxies);
                        }
                }

                if (isset($xForwardedForRealIpKey) && !empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
                        $xForwardedHost = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']);
                        if (
                                isset($xForwardedHost[$xForwardedForRealIpKey])
                                && ($pair = $this->parseHostAndPort(trim($xForwardedHost[$xForwardedForRealIpKey])))
                        ) {
                                $url->setHost($pair[0]);
                                if (isset($pair[1])) {
                                        $url->setPort($pair[1]);
                                }
                        }
                }

                return $remoteAddr ?? null;
        }


        /** @return array{string, ?int}|null */
        private function parseHostAndPort(string $s): ?array
        {
                return preg_match('#^([a-z0-9_.-]+|\[[a-f0-9:]+])(:\d+)?$#Di', $s, $matches)
                        ? [
                                rtrim(strtolower($matches[1]), '.'),
                                isset($matches[2]) ? (int) substr($matches[2], 1) : null,
                        ]
                        : null;
        }


        /** @deprecated */
        public function createHttpRequest(): Request
        {
                return $this->fromGlobals();
        }
}

1	<?php declare(strict_types=1);
2
3	/**
4	* This file is part of the Nette Framework (https://nette.org)
5	* Copyright (c) 2004 David Grudl (https://davidgrudl.com)
6	*/
7
8	namespace Nette\Http;
9
10	use Nette;
11	use Nette\Utils\Arrays;
12	use Nette\Utils\Strings;
13	use function array_filter, base64_encode, count, end, explode, file_get_contents, filter_input_array, function_exists, get_debug_type, in_array, ini_get, is_array, is_string, key, min, preg_last_error, preg_match, preg_replace, preg_split, rtrim, sprintf, str_contains, strcasecmp, strlen, strncmp, strpos, strrpos, strtolower, strtr, substr, trim;
14	use const PHP_SAPI;
15
16
17	/**
18	* HTTP request factory.
19	*/
20	class RequestFactory
21	{
22	/** @internal */
23	private const ValidChars = '\x09\x0A\x0D\x20-\x7E\xA0-\x{10FFFF}';
24
25	/**
26	* Regex-based filters applied to the URL before parsing. 'path' filters run on the path component only;
27	* 'url' filters run on the full request URI.
28	* @var array<string, array<string, string>>
29	*/
30	public array $urlFilters = [
31	'path' => ['#//#' => '/'], // '%20' => ''
32	'url' => [], // '#[.,)]$#D' => ''
33	];
34
35	private bool $binary = false;
36	private bool $forceHttps = false;
37
38	/** @var list<string> */
39	private array $proxies = [];
40
41
42	/**
43	* Disables sanitization of request data (GET, POST, cookies, file names) for binary-safe handling.
44	*/
45	public function setBinary(bool $binary = true): static	1✔
46	{
47	$this->binary = $binary;	1✔
48	return $this;	1✔
49	}
50
51
52	/**
53	* Sets the trusted proxy IP addresses or CIDR blocks used to resolve the real client IP and URL scheme.
54	* @param string\|list<string> $proxy
55	*/
56	public function setProxy(string\|array $proxy): static	1✔
57	{
58	$this->proxies = (array) $proxy;	1✔
59	return $this;	1✔
60	}
61
62
63	/**
64	* Forces the request scheme to HTTPS regardless of the server environment.
65	*/
66	public function setForceHttps(bool $forceHttps = true): static	1✔
67	{
68	$this->forceHttps = $forceHttps;	1✔
69	return $this;	1✔
70	}
71
72
73	/**
74	* Returns new Request instance, using values from superglobals.
75	*/
76	public function fromGlobals(): Request
77	{
78	$url = new Url;	1✔
79	$this->getServer($url);	1✔
80	$this->getPathAndQuery($url);	1✔
81	[$post, $cookies] = $this->getGetPostCookie($url);	1✔
82	$remoteAddr = $this->getClient($url);	1✔
83	if ($this->forceHttps) {	1✔
84	$url->setScheme('https');	1✔
85	}
86
87	return new Request(	1✔
88	new UrlScript($url, $this->getScriptPath($url)),	1✔
89	$post,
90	$this->getFiles(),	1✔
91	$cookies,
92	$this->getHeaders(),	1✔
93	$this->getMethod(),	1✔
94	$remoteAddr,
95	null,	1✔
96	fn() => (string) file_get_contents('php://input'),	1✔
97	);
98	}
99
100
101	private function getServer(Url $url): void	1✔
102	{
103	$url->setScheme(!empty($_SERVER['HTTPS']) && strcasecmp($_SERVER['HTTPS'], 'off') ? 'https' : 'http');	1✔
104
105	if (
106	(isset($_SERVER[$tmp = 'HTTP_HOST']) \|\| isset($_SERVER[$tmp = 'SERVER_NAME']))	1✔
107	&& ($pair = $this->parseHostAndPort($_SERVER[$tmp]))	1✔
108	) {
109	$url->setHost($pair[0]);	1✔
110	if (isset($pair[1])) {	1✔
111	$url->setPort($pair[1]);	1✔
112	} elseif ($tmp === 'SERVER_NAME' && isset($_SERVER['SERVER_PORT'])) {	1✔
113	$url->setPort((int) $_SERVER['SERVER_PORT']);	1✔
114	}
115	}
116	}	1✔
117
118
119	private function getPathAndQuery(Url $url): void	1✔
120	{
121	$requestUrl = $_SERVER['REQUEST_URI'] ?? '/';	1✔
122	$requestUrl = preg_replace('#^\w++://[^/]++#', '', $requestUrl);	1✔
123	$requestUrl = Strings::replace($requestUrl, $this->urlFilters['url']);	1✔
124
125	$tmp = explode('?', $requestUrl, 2);	1✔
126	$path = Url::unescape($tmp[0], '%/?#');	1✔
127	$path = Strings::fixEncoding(Strings::replace($path, $this->urlFilters['path']));	1✔
128	$url->setPath($path);	1✔
129	$url->setQuery($tmp[1] ?? '');	1✔
130	}	1✔
131
132
133	private function getScriptPath(Url $url): string	1✔
134	{
135	if (PHP_SAPI === 'cli-server') {	1✔
136	return '/';	×
137	}
138
139	$path = $url->getPath();	1✔
140	$lpath = strtolower($path);	1✔
141	$script = strtolower($_SERVER['SCRIPT_NAME'] ?? '');	1✔
142	if ($lpath !== $script) {	1✔
143	$max = min(strlen($lpath), strlen($script));	1✔
144	for ($i = 0; $i < $max && $lpath[$i] === $script[$i]; $i++);	1✔
145	$path = $i	1✔
146	? substr($path, 0, strrpos($path, '/', $i - strlen($path) - 1) + 1)	1✔
147	: '/';	1✔
148	}
149
150	return $path;	1✔
151	}
152
153
154	/** @return array{mixed[], mixed[]} */
155	private function getGetPostCookie(Url $url): array	1✔
156	{
157	$useFilter = (!in_array((string) ini_get('filter.default'), ['', 'unsafe_raw'], strict: true) \|\| ini_get('filter.default_flags'));	1✔
158
159	$query = $url->getQueryParameters();	1✔
160	$post = $useFilter	1✔
161	? filter_input_array(INPUT_POST, FILTER_UNSAFE_RAW)	×
162	: (empty($_POST) ? [] : $_POST);	1✔
163	$cookies = $useFilter	1✔
164	? filter_input_array(INPUT_COOKIE, FILTER_UNSAFE_RAW)	×
165	: (empty($_COOKIE) ? [] : $_COOKIE);	1✔
166
167	// remove invalid characters
168	$reChars = '#^[' . self::ValidChars . ']*+$#Du';	1✔
169	if (!$this->binary) {	1✔
170	$list = [&$query, &$post, &$cookies];	1✔
171	foreach ($list as $key => &$val) {	1✔
172	foreach ($val as $k => $v) {	1✔
173	if (is_string($k) && (!preg_match($reChars, $k) \|\| preg_last_error())) {	1✔
174	unset($list[$key][$k]);	1✔
175
176	} elseif (is_array($v)) {	1✔
177	$list[$key][$k] = $v;	1✔
178	$list[] = &$list[$key][$k];	1✔
179
180	} elseif (is_string($v)) {	1✔
181	$list[$key][$k] = (string) preg_replace('#[^' . self::ValidChars . ']+#u', '', $v);	1✔
182
183	} else {
184	throw new Nette\InvalidStateException(sprintf('Invalid value in $_POST/$_COOKIE in key %s, expected string, %s given.', "'$k'", get_debug_type($v)));	1✔
185	}
186	}
187	}
188
189	unset($list, $key, $val, $k, $v);	1✔
190	}
191
192	$url->setQuery($query);	1✔
193	return [$post, $cookies];	1✔
194	}
195
196
197	/** @return mixed[] */
198	private function getFiles(): array
199	{
200	$reChars = '#^[' . self::ValidChars . ']*+$#Du';	1✔
201	$files = [];	1✔
202	$list = [];	1✔
203	foreach ($_FILES ?? [] as $k => $v) {	1✔
204	if (
205	!is_array($v)	1✔
206	\|\| !isset($v['name'], $v['type'], $v['size'], $v['tmp_name'], $v['error'])	1✔
207	\|\| (!$this->binary && is_string($k) && (!preg_match($reChars, $k) \|\| preg_last_error()))	1✔
208	) {
209	continue;	1✔
210	}
211
212	$v['@'] = &$files[$k];	1✔
213	$list[] = $v;	1✔
214	}
215
216	// create FileUpload objects
217	foreach ($list as &$v) {	1✔
218	if (!isset($v['name'])) {	1✔
219	continue;	×
220
221	} elseif (!is_array($v['name'])) {	1✔
222	if (!$this->binary && (!preg_match($reChars, $v['name']) \|\| preg_last_error())) {	1✔
223	$v['name'] = '';	1✔
224	}
225
226	if ($v['error'] !== UPLOAD_ERR_NO_FILE) {	1✔
227	$v['@'] = new FileUpload($v);	1✔
228	}
229
230	continue;	1✔
231	}
232
233	foreach ($v['name'] as $k => $foo) {	1✔
234	if (!$this->binary && is_string($k) && (!preg_match($reChars, $k) \|\| preg_last_error())) {	1✔
235	continue;	×
236	}
237
238	$list[] = [	1✔
239	'name' => $v['name'][$k],	1✔
240	'type' => $v['type'][$k],	1✔
241	'size' => $v['size'][$k],	1✔
242	'full_path' => $v['full_path'][$k] ?? null,	1✔
243	'tmp_name' => $v['tmp_name'][$k],	1✔
244	'error' => $v['error'][$k],	1✔
245	'@' => &$v['@'][$k],	1✔
246	];
247	}
248	}
249
250	return $files;	1✔
251	}
252
253
254	/** @return array<string, string> */
255	private function getHeaders(): array
256	{
257	if (function_exists('apache_request_headers')) {	1✔
258	$headers = apache_request_headers() ?: [];	×
259	} else {
260	$headers = [];	1✔
261	foreach ($_SERVER as $k => $v) {	1✔
262	if (str_starts_with($k, 'HTTP_')) {	1✔
263	$k = substr($k, 5);	1✔
264	} elseif (strncmp($k, 'CONTENT_', 8)) {	1✔
265	continue;	1✔
266	}
267
268	$headers[strtr($k, '_', '-')] = $v;	1✔
269	}
270	}
271
272	if (!isset($headers['Authorization'])) {	1✔
273	if (isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {	1✔
274	$headers['Authorization'] = 'Basic ' . base64_encode($_SERVER['PHP_AUTH_USER'] . ':' . $_SERVER['PHP_AUTH_PW']);	1✔
275	} elseif (isset($_SERVER['PHP_AUTH_DIGEST'])) {	1✔
276	$headers['Authorization'] = 'Digest ' . $_SERVER['PHP_AUTH_DIGEST'];	1✔
277	}
278	}
279
280	return $headers;	1✔
281	}
282
283
284	private function getMethod(): string
285	{
286	$method = $_SERVER['REQUEST_METHOD'] ?? 'GET';	1✔
287	if (
288	$method === 'POST'	1✔
289	&& preg_match('#^[A-Z]+$#D', $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ?? '')	1✔
290	) {
291	$method = $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'];	1✔
292	}
293
294	return $method;	1✔
295	}
296
297
298	private function getClient(Url $url): ?string	1✔
299	{
300	$remoteAddr = !empty($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : null;	1✔
301
302	// use real client address if trusted proxy is used
303	$client = $remoteAddr ? IPAddress::tryFrom($remoteAddr) : null;	1✔
304	$usingTrustedProxy = $client && Arrays::some($this->proxies, fn(string $proxy): bool => $client->isInRange($proxy));	1✔
305	if ($usingTrustedProxy) {	1✔
306	return empty($_SERVER['HTTP_FORWARDED'])	1✔
307	? $this->useNonstandardProxy($url)	1✔
308	: $this->useForwardedProxy($url);	1✔
309	}
310
311	return $remoteAddr;	1✔
312	}
313
314
315	private function useForwardedProxy(Url $url): ?string	1✔
316	{
317	$forwardParams = preg_split('/[,;]/', $_SERVER['HTTP_FORWARDED']);	1✔
318	foreach ($forwardParams as $forwardParam) {	1✔
319	[$key, $value] = explode('=', $forwardParam, 2) + [1 => ''];	1✔
320	$proxyParams[strtolower(trim($key))][] = trim($value, " \t\"");	1✔
321	}
322
323	if (isset($proxyParams['for'])) {	1✔
324	$address = $proxyParams['for'][0];	1✔
325	$remoteAddr = str_contains($address, '[')	1✔
326	? substr($address, 1, strpos($address, ']') - 1) // IPv6	1✔
327	: explode(':', $address)[0]; // IPv4	1✔
328	}
329
330	if (isset($proxyParams['proto']) && count($proxyParams['proto']) === 1) {	1✔
331	$url->setScheme(strcasecmp($proxyParams['proto'][0], 'https') === 0 ? 'https' : 'http');	1✔
332	$url->setPort($url->getScheme() === 'https' ? 443 : 80);	1✔
333	}
334
335	if (
336	isset($proxyParams['host']) && count($proxyParams['host']) === 1	1✔
337	&& ($pair = $this->parseHostAndPort($proxyParams['host'][0]))	1✔
338	) {
339	$url->setHost($pair[0]);	1✔
340	if (isset($pair[1])) {	1✔
341	$url->setPort($pair[1]);	1✔
342	}
343	}
344	return $remoteAddr ?? null;	1✔
345	}
346
347
348	private function useNonstandardProxy(Url $url): ?string	1✔
349	{
350	if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO'])) {	1✔
351	$url->setScheme(strcasecmp($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') === 0 ? 'https' : 'http');	1✔
352	$url->setPort($url->getScheme() === 'https' ? 443 : 80);	1✔
353	}
354
355	if (!empty($_SERVER['HTTP_X_FORWARDED_PORT'])) {	1✔
356	$url->setPort((int) $_SERVER['HTTP_X_FORWARDED_PORT']);	1✔
357	}
358
359	if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {	1✔
360	$xForwardedForWithoutProxies = array_filter(	1✔
361	explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']),	1✔
362	fn(string $ip): bool => ($address = IPAddress::tryFrom(trim($ip))) === null	1✔
363	\|\| !Arrays::some($this->proxies, fn(string $proxy): bool => $address->isInRange($proxy)),	1✔
364	);
365	if ($xForwardedForWithoutProxies) {	1✔
366	$remoteAddr = trim(end($xForwardedForWithoutProxies));	1✔
367	$xForwardedForRealIpKey = key($xForwardedForWithoutProxies);	1✔
368	}
369	}
370
371	if (isset($xForwardedForRealIpKey) && !empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {	1✔
372	$xForwardedHost = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']);	1✔
373	if (
374	isset($xForwardedHost[$xForwardedForRealIpKey])	1✔
375	&& ($pair = $this->parseHostAndPort(trim($xForwardedHost[$xForwardedForRealIpKey])))	1✔
376	) {
377	$url->setHost($pair[0]);	1✔
378	if (isset($pair[1])) {	1✔
379	$url->setPort($pair[1]);	1✔
380	}
381	}
382	}
383
384	return $remoteAddr ?? null;	1✔
385	}
386
387
388	/** @return array{string, ?int}\|null */
389	private function parseHostAndPort(string $s): ?array	1✔
390	{
391	return preg_match('#^([a-z0-9_.-]+\|\[[a-f0-9:]+])(:\d+)?$#Di', $s, $matches)	1✔
392	? [
393	rtrim(strtolower($matches[1]), '.'),	1✔
394	isset($matches[2]) ? (int) substr($matches[2], 1) : null,	1✔
395	]
396	: null;	1✔
397	}
398
399
400	/** @deprecated */
401	public function createHttpRequest(): Request
402	{
UNCOV 403	return $this->fromGlobals();	×
404	}
405	}

nette / http / 26789697442

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous