Fix #19437: Add support to specify request port by trusted proxies in \yii\web\Request::getServerPort()

rhertogh · web-flow · commit 45519d3c18b8 · 2022-06-17T20:18:18.000+03:00
diff --git a/docs/guide/runtime-requests.md b/docs/guide/runtime-requests.md
@@ -151,8 +151,9 @@ You should not blindly trust headers provided by proxies unless you explicitly t
 Since 2.0.13 Yii supports configuring trusted proxies via the 
 [[yii\web\Request::trustedHosts|trustedHosts]],
 [[yii\web\Request::secureHeaders|secureHeaders]], 
-[[yii\web\Request::ipHeaders|ipHeaders]] and
-[[yii\web\Request::secureProtocolHeaders|secureProtocolHeaders]]
+[[yii\web\Request::ipHeaders|ipHeaders]],
+[[yii\web\Request::secureProtocolHeaders|secureProtocolHeaders]] and
+[[yii\web\Request::portHeaders|portHeaders]] (since 2.0.46)
 properties of the `request` component.
 
 The following is a request config for an application that runs behind an array of reverse proxies,
@@ -184,6 +185,7 @@ In case your proxies are using different headers you can use the request configu
         'X-Forwarded-For',
         'X-Forwarded-Host',
         'X-Forwarded-Proto',
+        'X-Forwarded-Port',
         'X-Proxy-User-Ip',
         'Front-End-Https',
     ],
diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
@@ -35,6 +35,7 @@ Yii Framework 2 Change Log
 - Enh #19416: Update and improve configurations for `yii\console\controllers\MessageController` (WinterSilence)
 - Bug #19403: Fix types in `yii\web\SessionIterator` (WinterSilence)
 - Enh #19420: Update list of JS callbacks in `yii\widgets\MaskedInput` (WinterSilence)
+- Enh #19437: Add support to specify request port by trusted proxies in `\yii\web\Request::getServerPort()` (rhertogh)
 - Bug #19445: Fix caching in `yii\i18n\Formatter::getUnitMessage()` (WinterSilence)
 
 
diff --git a/framework/web/Request.php b/framework/web/Request.php
@@ -221,6 +221,7 @@ class Request extends \yii\base\Request
         'X-Forwarded-For',
         'X-Forwarded-Host',
         'X-Forwarded-Proto',
+        'X-Forwarded-Port',
 
         // Microsoft:
         'Front-End-Https',
@@ -241,6 +242,18 @@ class Request extends \yii\base\Request
     public $ipHeaders = [
         'X-Forwarded-For', // Common
     ];
+    /**
+     * @var string[] List of headers where proxies store the real request port.
+     * It's not advisable to put insecure headers here.
+     * To use the `Forwarded Port`, the header must be added to [[secureHeaders]] list.
+     * The match of header names is case-insensitive.
+     * @see trustedHosts
+     * @see secureHeaders
+     * @since 2.0.46
+     */
+    public $portHeaders = [
+        'X-Forwarded-Port', // Common
+    ];
     /**
      * @var array list of headers to check for determining whether the connection is made via HTTPS.
      * The array keys are header names and the array value is a list of header values that indicate a secure connection.
@@ -1125,11 +1138,23 @@ public function getServerName()
     }
 
     /**
-     * Returns the server port number.
+     * Returns the server port number. If a port is specified via a forwarding header (e.g. 'X-Forwarded-Port')
+     * and the remote host is a "trusted host" the that port will be used (see [[portHeaders]]),
+     * otherwise the default server port will be returned.
      * @return int|null server port number, null if not available
+     * @see portHeaders
      */
     public function getServerPort()
     {
+        foreach ($this->portHeaders as $portHeader) {
+            if ($this->headers->has($portHeader)) {
+                $port = $this->headers->get($portHeader);
+                if ($port !== null) {
+                    return $port;
+                }
+            }
+        }
+
         return isset($_SERVER['SERVER_PORT']) ? (int) $_SERVER['SERVER_PORT'] : null;
     }
 
diff --git a/tests/framework/web/RequestTest.php b/tests/framework/web/RequestTest.php
@@ -1175,6 +1175,33 @@ public function testTrustedHostAndInjectedXForwardedFor($remoteAddress, $xForwar
         $this->assertSame($expectedUserIp, $request->getUserIP());
     }
 
+    public function trustedHostAndXForwardedPortDataProvider()
+    {
+        return [
+            'defaultPlain' => ['1.1.1.1', 80, null, null, 80],
+            'defaultSSL' => ['1.1.1.1', 443, null, null, 443],
+            'untrustedForwardedSSL' => ['1.1.1.1', 80, 443, ['10.0.0.0/8'], 80],
+            'untrustedForwardedPlain' => ['1.1.1.1', 443, 80, ['10.0.0.0/8'], 443],
+            'trustedForwardedSSL' => ['10.10.10.10', 80, 443, ['10.0.0.0/8'], 443],
+            'trustedForwardedPlain' => ['10.10.10.10', 443, 80, ['10.0.0.0/8'], 80],
+        ];
+    }
+
+    /**
+     * @dataProvider trustedHostAndXForwardedPortDataProvider
+     */
+    public function testTrustedHostAndXForwardedPort($remoteAddress, $requestPort, $xForwardedPort, $trustedHosts, $expectedPort)
+    {
+        $_SERVER['REMOTE_ADDR'] = $remoteAddress;
+        $_SERVER['SERVER_PORT'] = $requestPort;
+        $_SERVER['HTTP_X_FORWARDED_PORT'] = $xForwardedPort;
+        $params = [
+            'trustedHosts' => $trustedHosts,
+        ];
+        $request = new Request($params);
+        $this->assertSame($expectedPort, $request->getServerPort());
+    }
+
     /**
      * @testWith    ["POST", "GET", "POST"]
      *              ["POST", "OPTIONS", "POST"]
