[FrameworkBundle][HttpKernel] Add support for SYMFONY_TRUSTED_PROXIES, SYMFONY_TRUSTED_HEADERS, SYMFONY_TRUST_X_SENDFILE_TYPE_HEADER and SYMFONY_TRUSTED_HOSTS env vars

Author: nicolas-grekas

CHANGELOG.md

@@ -16,6 +16,7 @@ CHANGELOG
  * Deprecate `session.sid_length` and `session.sid_bits_per_character` config options
  * Add the ability to use an existing service as a lock/semaphore resource
  * Add support for configuring multiple serializer instances via the configuration
+ * Add support for `SYMFONY_TRUSTED_PROXIES`, `SYMFONY_TRUSTED_HEADERS`, `SYMFONY_TRUST_X_SENDFILE_TYPE_HEADER` and `SYMFONY_TRUSTED_HOSTS` env vars
 
 7.1
 ---

DependencyInjection/Configuration.php

@@ -90,7 +90,7 @@ public function getConfigTreeBuilder(): TreeBuilder
                 ->end()
                 ->scalarNode('trust_x_sendfile_type_header')
                     ->info('Set true to enable support for xsendfile in binary file responses.')
-                    ->defaultFalse()
+                    ->defaultValue('%env(bool:default::SYMFONY_TRUST_X_SENDFILE_TYPE_HEADER)%')
                 ->end()
                 ->scalarNode('ide')->defaultValue($this->debug ? '%env(default::SYMFONY_IDE)%' : null)->end()
                 ->booleanNode('test')->end()
@@ -108,26 +108,23 @@ public function getConfigTreeBuilder(): TreeBuilder
                     ->prototype('scalar')->end()
                 ->end()
                 ->arrayNode('trusted_hosts')
-                    ->beforeNormalization()->ifString()->then(fn ($v) => [$v])->end()
+                    ->beforeNormalization()->ifString()->then(static fn ($v) => $v ? [$v] : [])->end()
                     ->prototype('scalar')->end()
+                    ->defaultValue(['%env(default::SYMFONY_TRUSTED_HOSTS)%'])
                 ->end()
                 ->variableNode('trusted_proxies')
                     ->beforeNormalization()
                         ->ifTrue(fn ($v) => 'private_ranges' === $v || 'PRIVATE_SUBNETS' === $v)
                         ->then(fn () => IpUtils::PRIVATE_SUBNETS)
                     ->end()
+                    ->defaultValue(['%env(default::SYMFONY_TRUSTED_PROXIES)%'])
                 ->end()
                 ->arrayNode('trusted_headers')
                     ->fixXmlConfig('trusted_header')
                     ->performNoDeepMerging()
-                    ->defaultValue(['x-forwarded-for', 'x-forwarded-port', 'x-forwarded-proto'])
-                    ->beforeNormalization()->ifString()->then(fn ($v) => $v ? array_map('trim', explode(',', $v)) : [])->end()
-                    ->enumPrototype()
-                        ->values([
-                            'forwarded',
-                            'x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port', 'x-forwarded-prefix',
-                        ])
-                    ->end()
+                    ->beforeNormalization()->ifString()->then(static fn ($v) => $v ? [$v] : [])->end()
+                    ->prototype('scalar')->end()
+                    ->defaultValue(['%env(default::SYMFONY_TRUSTED_HEADERS)%'])
                 ->end()
                 ->scalarNode('error_controller')
                     ->defaultValue('error_controller')

DependencyInjection/FrameworkExtension.php

@@ -313,14 +313,14 @@ public function load(array $configs, ContainerBuilder $container): void
 
         $container->setParameter('kernel.http_method_override', $config['http_method_override']);
         $container->setParameter('kernel.trust_x_sendfile_type_header', $config['trust_x_sendfile_type_header']);
-        $container->setParameter('kernel.trusted_hosts', $config['trusted_hosts']);
+        $container->setParameter('kernel.trusted_hosts', [0] === array_keys($config['trusted_hosts']) ? $config['trusted_hosts'][0] : $config['trusted_hosts']);
         $container->setParameter('kernel.default_locale', $config['default_locale']);
         $container->setParameter('kernel.enabled_locales', $config['enabled_locales']);
         $container->setParameter('kernel.error_controller', $config['error_controller']);
 
         if (($config['trusted_proxies'] ?? false) && ($config['trusted_headers'] ?? false)) {
-            $container->setParameter('kernel.trusted_proxies', $config['trusted_proxies']);
-            $container->setParameter('kernel.trusted_headers', $this->resolveTrustedHeaders($config['trusted_headers']));
+            $container->setParameter('kernel.trusted_proxies', \is_array($config['trusted_proxies']) && [0] === array_keys($config['trusted_proxies']) ? $config['trusted_proxies'][0] : $config['trusted_proxies']);
+            $container->setParameter('kernel.trusted_headers', [0] === array_keys($config['trusted_headers']) ? $config['trusted_headers'][0] : $config['trusted_headers']);
         }
 
         if (!$container->hasParameter('debug.file_link_format')) {
@@ -3114,25 +3114,6 @@ private function registerHtmlSanitizerConfiguration(array $config, ContainerBuil
         }
     }
 
-    private function resolveTrustedHeaders(array $headers): int
-    {
-        $trustedHeaders = 0;
-
-        foreach ($headers as $h) {
-            $trustedHeaders |= match ($h) {
-                'forwarded' => Request::HEADER_FORWARDED,
-                'x-forwarded-for' => Request::HEADER_X_FORWARDED_FOR,
-                'x-forwarded-host' => Request::HEADER_X_FORWARDED_HOST,
-                'x-forwarded-proto' => Request::HEADER_X_FORWARDED_PROTO,
-                'x-forwarded-port' => Request::HEADER_X_FORWARDED_PORT,
-                'x-forwarded-prefix' => Request::HEADER_X_FORWARDED_PREFIX,
-                default => 0,
-            };
-        }
-
-        return $trustedHeaders;
-    }
-
     public function getXsdValidationBasePath(): string|false
     {
         return \dirname(__DIR__).'/Resources/config/schema';

Tests/DependencyInjection/ConfigurationTest.php

@@ -704,19 +704,16 @@ protected static function getBundleDefaultConfig()
         return [
             'http_method_override' => false,
             'handle_all_throwables' => true,
-            'trust_x_sendfile_type_header' => false,
+            'trust_x_sendfile_type_header' => '%env(bool:default::SYMFONY_TRUST_X_SENDFILE_TYPE_HEADER)%',
             'ide' => '%env(default::SYMFONY_IDE)%',
             'default_locale' => 'en',
             'enabled_locales' => [],
             'set_locale_from_accept_language' => false,
             'set_content_language_from_locale' => false,
             'secret' => 's3cr3t',
-            'trusted_hosts' => [],
-            'trusted_headers' => [
-                'x-forwarded-for',
-                'x-forwarded-port',
-                'x-forwarded-proto',
-            ],
+            'trusted_hosts' => ['%env(default::SYMFONY_TRUSTED_HOSTS)%'],
+            'trusted_proxies' => ['%env(default::SYMFONY_TRUSTED_PROXIES)%'],
+            'trusted_headers' => ['%env(default::SYMFONY_TRUSTED_HEADERS)%'],
             'csrf_protection' => [
                 'enabled' => false,
             ],