minor #14518 Remove deprecated HEADER_X_FORWARDED_ALL header (jderusse)

javiereguiluz · javiereguiluz · commit 3cdbd51d2f0a · 2020-11-18T10:49:52.000+01:00
This PR was submitted for the 5.x branch but it was squashed and merged into the 5.2 branch instead. Discussion ---------- Remove deprecated HEADER_X_FORWARDED_ALL header Fixes #14514 Commits ------- e591814 Remove deprecated HEADER_X_FORWARDED_ALL header
diff --git a/deployment/proxies.rst b/deployment/proxies.rst
@@ -35,15 +35,22 @@ and what headers your reverse proxy uses to send information::
         ['192.0.0.1', '10.0.0.0/8'],
 
         // trust *all* "X-Forwarded-*" headers
-        Request::HEADER_X_FORWARDED_ALL
+        Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO
 
         // or, if your proxy instead uses the "Forwarded" header
         // Request::HEADER_FORWARDED
 
-        // or, if you're using AWS ELB
+        // or, if you're using a wellknown proxy
         // Request::HEADER_X_FORWARDED_AWS_ELB
+        // Request::HEADER_X_FORWARDED_TRAEFIK
     );
 
+.. caution::
+
+    Enabling the ``Request::HEADER_X_FORWARDED_HOST`` option exposes the
+    application to "`HTTP Host header attacks`_". Make sure the proxy really
+    send a ``x-forwarded-host`` header.
+
 The Request object has several ``Request::HEADER_*`` constants that control exactly
 *which* headers from your reverse proxy are trusted. The argument is a bit field,
 so you can also pass your own value (e.g. ``0b00110``).
@@ -114,3 +121,4 @@ In this case, you'll need to set the header ``X-Forwarded-Proto`` with the value
 .. _`security groups`: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
 .. _`CloudFront`: https://en.wikipedia.org/wiki/Amazon_CloudFront
 .. _`CloudFront IP ranges`: https://ip-ranges.amazonaws.com/ip-ranges.json
+.. _`HTTP Host header attacks`: https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
diff --git a/migration.rst b/migration.rst
@@ -262,7 +262,7 @@ could look something like this::
     if ($trustedProxies = $_SERVER['TRUSTED_PROXIES'] ?? $_ENV['TRUSTED_PROXIES'] ?? false) {
         Request::setTrustedProxies(
           explode(',', $trustedProxies),
-          Request::HEADER_X_FORWARDED_ALL ^ Request::HEADER_X_FORWARDED_HOST
+          Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO
         );
     }
 

Original file line number	Diff line number	Diff line change
`@@ -262,7 +262,7 @@ could look something like this::`
`262`	`262`	`if ($trustedProxies = $_SERVER['TRUSTED_PROXIES'] ?? $_ENV['TRUSTED_PROXIES'] ?? false) {`
`263`	`263`	`Request::setTrustedProxies(`
`264`	`264`	`explode(',', $trustedProxies),`
`265`		`- Request::HEADER_X_FORWARDED_ALL ^ Request::HEADER_X_FORWARDED_HOST`
	`265`	`+ Request::HEADER_X_FORWARDED_FOR \| Request::HEADER_X_FORWARDED_PORT \| Request::HEADER_X_FORWARDED_PROTO`
`266`	`266`	`);`
`267`	`267`	`}`
`268`	`268`