Merge branch '6.4' into 7.3

xabbuh · xabbuh · commit 53959a9d2186 · 2025-09-05T14:13:34.000+02:00
* 6.4:
  [Security] Fix `HttpUtils::createRequest()` when the base request is forwarded
  fix setup to actually run Redis Sentinel/Cluster integration tests
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -261,6 +261,7 @@ jobs:
           REDIS_SENTINEL_SERVICE: redis_sentinel
           REDIS_REPLICATION_HOSTS: 'localhost:16382 localhost:16381'
           MESSENGER_REDIS_DSN: redis://127.0.0.1:7006/messages
+          MESSENGER_REDIS_SENTINEL_MASTER: redis_sentinel
           MESSENGER_AMQP_DSN: amqp://localhost/%2f/messages
           MESSENGER_SQS_DSN: "sqs://localhost:4566/messages?sslmode=disable&poll_timeout=0.01"
           MESSENGER_SQS_FIFO_QUEUE_DSN: "sqs://localhost:4566/messages.fifo?sslmode=disable&poll_timeout=0.01"
diff --git a/src/Symfony/Component/Messenger/Bridge/Redis/Tests/Transport/ConnectionTest.php b/src/Symfony/Component/Messenger/Bridge/Redis/Tests/Transport/ConnectionTest.php
@@ -404,10 +404,19 @@ public static function provideIdPatterns(): \Generator
         yield '100ms delay' => ['/^[A-Z\d\/+]+$/i', 100, 'rawCommand', '1'];
     }
 
+    /**
+     * @group integration
+     */
     public function testInvalidSentinelMasterName()
     {
+        if (!$hosts = getenv('REDIS_SENTINEL_HOSTS')) {
+            $this->markTestSkipped('REDIS_SENTINEL_HOSTS env var is not defined.');
+        }
+
+        $dsn = 'redis:?host['.str_replace(' ', ']&host[', $hosts).']';
+
         try {
-            Connection::fromDsn(getenv('MESSENGER_REDIS_DSN'), ['delete_after_ack' => true], null);
+            Connection::fromDsn($dsn, ['delete_after_ack' => true]);
         } catch (\Exception $e) {
             self::markTestSkipped($e->getMessage());
         }
@@ -416,14 +425,12 @@ public function testInvalidSentinelMasterName()
             self::markTestSkipped('Redis sentinel is not configured');
         }
 
-        $master = getenv('MESSENGER_REDIS_DSN');
         $uid = random_int(1, \PHP_INT_MAX);
 
-        $exp = explode('://', $master, 2)[1];
         $this->expectException(\InvalidArgumentException::class);
-        $this->expectExceptionMessage(\sprintf('Failed to retrieve master information from master name "%s" and address "%s".', $uid, $exp));
+        $this->expectExceptionMessage(\sprintf('Failed to retrieve master information from sentinel "%s".', $uid));
 
-        Connection::fromDsn(\sprintf('%s/messenger-clearlasterror', $master), ['delete_after_ack' => true, 'sentinel' => $uid], null);
+        Connection::fromDsn(\sprintf('%s/messenger-clearlasterror', $dsn), ['delete_after_ack' => true, 'sentinel' => $uid]);
     }
 
     public function testFromDsnOnUnixSocketWithUserAndPassword()
diff --git a/src/Symfony/Component/Messenger/Bridge/Redis/Tests/Transport/RedisExtIntegrationTest.php b/src/Symfony/Component/Messenger/Bridge/Redis/Tests/Transport/RedisExtIntegrationTest.php
@@ -39,7 +39,7 @@ protected function setUp(): void
 
         try {
             $this->redis = $this->createRedisClient();
-            $this->connection = Connection::fromDsn(getenv('MESSENGER_REDIS_DSN'), ['sentinel' => getenv('MESSENGER_REDIS_SENTINEL_MASTER') ?: null], $this->redis);
+            $this->connection = Connection::fromDsn(getenv('MESSENGER_REDIS_DSN'), [], $this->redis);
             $this->connection->cleanup();
             $this->connection->setup();
         } catch (\Exception $e) {
@@ -147,7 +147,7 @@ public function testConnectionSendDelayedMessagesWithSameContent()
     public function testConnectionBelowRedeliverTimeout()
     {
         // lower redeliver timeout and claim interval
-        $connection = Connection::fromDsn(getenv('MESSENGER_REDIS_DSN'), ['sentinel' => getenv('MESSENGER_REDIS_SENTINEL_MASTER') ?: null], $this->redis);
+        $connection = Connection::fromDsn(getenv('MESSENGER_REDIS_DSN'), [], $this->redis);
 
         $connection->cleanup();
         $connection->setup();
@@ -175,7 +175,7 @@ public function testConnectionClaimAndRedeliver()
         // lower redeliver timeout and claim interval
         $connection = Connection::fromDsn(
             getenv('MESSENGER_REDIS_DSN'),
-            ['redeliver_timeout' => 0, 'claim_interval' => 500, 'sentinel' => getenv('MESSENGER_REDIS_SENTINEL_MASTER') ?: null],
+            ['redeliver_timeout' => 0, 'claim_interval' => 500],
 
             $this->redis
         );
@@ -261,7 +261,17 @@ public static function sentinelOptionNames(): \Generator
 
     public function testLazySentinel()
     {
-        $connection = Connection::fromDsn(getenv('MESSENGER_REDIS_DSN'),
+        if (!$hosts = getenv('REDIS_SENTINEL_HOSTS')) {
+            $this->markTestSkipped('REDIS_SENTINEL_HOSTS env var is not defined.');
+        }
+
+        if (!getenv('MESSENGER_REDIS_SENTINEL_MASTER')) {
+            $this->markTestSkipped('MESSENGER_REDIS_SENTINEL_MASTER env var is not defined.');
+        }
+
+        $dsn = 'redis:?host['.str_replace(' ', ']&host[', $hosts).']';
+
+        $connection = Connection::fromDsn($dsn,
             ['lazy' => true,
                 'delete_after_ack' => true,
                 'sentinel' => getenv('MESSENGER_REDIS_SENTINEL_MASTER') ?: null,
@@ -336,7 +346,7 @@ public function testFromDsnWithMultipleHosts()
         $dsn = array_map(fn ($host) => 'redis://'.$host, $hosts);
         $dsn = implode(',', $dsn);
 
-        $this->assertInstanceOf(Connection::class, Connection::fromDsn($dsn, ['sentinel' => getenv('MESSENGER_REDIS_SENTINEL_MASTER') ?: null]));
+        $this->assertInstanceOf(Connection::class, Connection::fromDsn($dsn, []));
     }
 
     public function testJsonError()
@@ -460,7 +470,7 @@ private function getConnectionStream(Connection $connection): string
     private function skipIfRedisClusterUnavailable()
     {
         try {
-            new \RedisCluster(null, getenv('REDIS_CLUSTER_HOST') ? explode(' ', getenv('REDIS_CLUSTER_HOST')) : []);
+            new \RedisCluster(null, getenv('REDIS_CLUSTER_HOSTS') ? explode(' ', getenv('REDIS_CLUSTER_HOSTS')) : []);
         } catch (\Exception $e) {
             self::markTestSkipped($e->getMessage());
         }
diff --git a/src/Symfony/Component/Security/Http/HttpUtils.php b/src/Symfony/Component/Security/Http/HttpUtils.php
@@ -65,7 +65,13 @@ public function createRedirectResponse(Request $request, string $path, int $stat
      */
     public function createRequest(Request $request, string $path): Request
     {
+        if ($trustedProxies = Request::getTrustedProxies()) {
+            Request::setTrustedProxies([], Request::getTrustedHeaderSet());
+        }
         $newRequest = Request::create($this->generateUri($request, $path), 'get', [], $request->cookies->all(), [], $request->server->all());
+        if ($trustedProxies) {
+            Request::setTrustedProxies($trustedProxies, Request::getTrustedHeaderSet());
+        }
 
         static $setSession;
 
diff --git a/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php b/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php
@@ -233,6 +233,16 @@ public static function provideSecurityRequestAttributes()
         ];
     }
 
+    public function testCreateRequestHandlesTrustedHeaders()
+    {
+        Request::setTrustedProxies(['127.0.0.1'], Request::HEADER_X_FORWARDED_PREFIX);
+
+        $this->assertSame(
+            'http://localhost/foo/',
+            (new HttpUtils())->createRequest(Request::create('/', server: ['HTTP_X_FORWARDED_PREFIX' => '/foo']), '/')->getUri(),
+        );
+    }
+
     public function testCheckRequestPath()
     {
         $utils = new HttpUtils($this->getUrlGenerator());
