RequestFactory: extract port from x-forwarded-host (#230)

Izolex · dg · commit e66a32b65a28 · 2024-11-04T17:30:18.000+01:00
diff --git a/src/Http/RequestFactory.php b/src/Http/RequestFactory.php
@@ -347,8 +347,14 @@ private function useNonstandardProxy(Url $url): ?string
 
 		if (isset($xForwardedForRealIpKey) && !empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
 			$xForwardedHost = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']);
-			if (isset($xForwardedHost[$xForwardedForRealIpKey])) {
-				$url->setHost(trim($xForwardedHost[$xForwardedForRealIpKey]));
+			if (
+				isset($xForwardedHost[$xForwardedForRealIpKey])
+				&& ($pair = $this->parseHostAndPort(trim($xForwardedHost[$xForwardedForRealIpKey])))
+			) {
+				$url->setHost($pair[0]);
+				if (isset($pair[1])) {
+					$url->setPort($pair[1]);
+				}
 			}
 		}
 
diff --git a/tests/Http/RequestFactory.proxy.x-forwarded.phpt b/tests/Http/RequestFactory.proxy.x-forwarded.phpt
@@ -31,6 +31,43 @@ test('', function () {
 
 	$url = $factory->fromGlobals()->getUrl();
 	Assert::same('otherhost', $url->getHost());
+	Assert::same(80, $url->getPort());
+});
+
+test('', function () {
+	$_SERVER = [
+		'REMOTE_ADDR' => '127.0.0.3',
+		'REMOTE_HOST' => 'localhost',
+		'HTTP_X_FORWARDED_FOR' => '23.75.45.200',
+		'HTTP_X_FORWARDED_HOST' => 'otherhost:8080',
+	];
+
+	$factory = new RequestFactory;
+	$factory->setProxy('127.0.0.3');
+	Assert::same('23.75.45.200', $factory->fromGlobals()->getRemoteAddress());
+	Assert::same('a23-75-45-200.deploy.static.akamaitechnologies.com', $factory->fromGlobals()->getRemoteHost());
+
+	$url = $factory->fromGlobals()->getUrl();
+	Assert::same('otherhost', $url->getHost());
+	Assert::same(8080, $url->getPort());
+});
+
+test('', function () {
+	$_SERVER = [
+		'REMOTE_ADDR' => '127.0.0.3',
+		'HTTP_X_FORWARDED_FOR' => '23.75.45.200',
+		'HTTP_X_FORWARDED_HOST' => 'otherhost',
+		'HTTP_X_FORWARDED_PROTO' => 'https',
+		'HTTP_X_FORWARDED_PORT' => '8080',
+	];
+
+	$factory = new RequestFactory;
+	$factory->setProxy('127.0.0.3');
+
+	$url = $factory->fromGlobals()->getUrl();
+	Assert::same('https', $url->getScheme());
+	Assert::same('otherhost', $url->getHost());
+	Assert::same(8080, $url->getPort());
 });
 
 test('', function () {
@@ -45,10 +82,34 @@ test('', function () {
 	$factory->setProxy('10.0.0.0/24');
 	Assert::same('172.16.0.1', $factory->fromGlobals()->getRemoteAddress());
 	Assert::same('172.16.0.1', $factory->fromGlobals()->getRemoteHost());
-	Assert::same('real', $factory->fromGlobals()->getUrl()->getHost());
+
+	$url = $factory->fromGlobals()->getUrl();
+	Assert::same('real', $url->getHost());
+	Assert::same(80, $url->getPort());
 
 	$factory->setProxy(['10.0.0.1', '10.0.0.2']);
 	Assert::same('172.16.0.1', $factory->fromGlobals()->getRemoteAddress());
 	Assert::same('172.16.0.1', $factory->fromGlobals()->getRemoteHost());
-	Assert::same('real', $factory->fromGlobals()->getUrl()->getHost());
+
+	$url = $factory->fromGlobals()->getUrl();
+	Assert::same('real', $url->getHost());
+	Assert::same(80, $url->getPort());
+});
+
+test('', function () {
+	$_SERVER = [
+		'REMOTE_ADDR' => '10.0.0.2', //proxy2
+		'REMOTE_HOST' => 'proxy2',
+		'HTTP_X_FORWARDED_FOR' => '123.123.123.123, not-ip.com, 172.16.0.1, 10.0.0.1',
+		'HTTP_X_FORWARDED_HOST' => 'fake, not-ip.com, real:8080, proxy1',
+	];
+
+	$factory = new RequestFactory;
+	$factory->setProxy(['10.0.0.1', '10.0.0.2']);
+	Assert::same('172.16.0.1', $factory->fromGlobals()->getRemoteAddress());
+	Assert::same('172.16.0.1', $factory->fromGlobals()->getRemoteHost());
+
+	$url = $factory->fromGlobals()->getUrl();
+	Assert::same('real', $url->getHost());
+	Assert::same(8080, $url->getPort());
 });
