diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2020-01-04 23:35:42 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2020-01-04 23:35:42 +0100 |
| commit | 2aff347b2e942286292b21e0b20d93ab85220a17 (patch) | |
| tree | a00c587dbaafe36da019dafca00b77357c3f58a8 /lib/Minz/Request.php | |
| parent | acc50df0efef8bd9fa937a5d640314c0e78e9117 (diff) | |
Fix wrong getHeader refactoring (#2749)
* Fix wrong getHeader refactoring
Fix regression introduced by
https://github.com/FreshRSS/FreshRSS/pull/2373
The refactoring required a call to init() even for static functions,
which is most of the time not done.
Removed premature abstraction of `$_SERVER`, which was the root cause of
the bug.
https://github.com/FreshRSS/FreshRSS/issues/2748#issuecomment-569898931
* Refactoring: Move serverIsPublic to Minz_Request
* Add mitigations for wrong configurations
Due to the regression, we have some existing configurations with a bad
base_url
* Forgot one instance
Diffstat (limited to 'lib/Minz/Request.php')
| -rw-r--r-- | lib/Minz/Request.php | 43 |
1 files changed, 37 insertions, 6 deletions
diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php index ef641a0e9..b294abe26 100644 --- a/lib/Minz/Request.php +++ b/lib/Minz/Request.php @@ -11,7 +11,6 @@ class Minz_Request { private static $controller_name = ''; private static $action_name = ''; private static $params = array(); - private static $headers = array(); private static $default_controller_name = 'index'; private static $default_action_name = 'index'; @@ -101,7 +100,6 @@ class Minz_Request { * Initialise la Request */ public static function init() { - static::$headers = $_SERVER; self::initJSON(); } @@ -228,6 +226,42 @@ class Minz_Request { } /** + * Test if a given server address is publicly accessible. + * + * Note: for the moment it tests only if address is corresponding to a + * localhost address. + * + * @param $address the address to test, can be an IP or a URL. + * @return true if server is accessible, false otherwise. + * @todo improve test with a more valid technique (e.g. test with an external server?) + */ + public static function serverIsPublic($address) { + if (strlen($address) < strlen('http://a.bc')) { + return false; + } + $host = parse_url($address, PHP_URL_HOST); + if (!$host) { + return false; + } + + $is_public = !in_array($host, array( + 'localhost', + 'localhost.localdomain', + '[::1]', + 'ip6-localhost', + 'localhost6', + 'localhost6.localdomain6', + )); + + if ($is_public) { + $is_public &= !preg_match('/^(10|127|172[.]16|192[.]168)[.]/', $host); + $is_public &= !preg_match('/^(\[)?(::1$|fc00::|fe80::)/i', $host); + } + + return (bool)$is_public; + } + + /** * Relance une requête * @param $url l'url vers laquelle est relancée la requête * @param $redirect si vrai, force la redirection http @@ -348,10 +382,7 @@ class Minz_Request { * @return mixed */ public static function getHeader($header, $default = null) { - if (isset(static::$headers[$header])) { - return static::$headers[$header]; - } - return $default; + return isset($_SERVER[$header]) ? $_SERVER[$header] : $default; } /** |