Re: [Agavi-Tickets] [Agavi] #547: [PATCH] AgaviWebRequest::getUrlHost() returns in correct server IP address

Sat, 28 Jul 2007 16:22:23 -0700 

#547: [PATCH] AgaviWebRequest::getUrlHost() returns in correct server IP address
------------------------+---------------------------------------------------
 Reporter:  anonymous   |        Owner:  david     
     Type:  defect      |       Status:  closed    
 Priority:  normal      |    Milestone:  0.11      
Component:  request     |      Version:  0.11.0RC5 
 Severity:  normal      |   Resolution:  worksforme
 Keywords:  getUrlHost  |  
------------------------+---------------------------------------------------
Changes (by david):

  * status:  new => closed
  * resolution:  => worksforme

Comment:

 Not necessary. This is exactly what the "sources" in the !AgaviWebRequest
 are for, so you can simply do this in {{{factories.xml}}}:

 {{{
 <request class="AgaviWebRequest">
   <parameter name="sources">
     <parameter name="SERVER_NAME">HTTP_HOST</parameter>
   </parameter>
 </request>
 }}}

 Agavi will then use {{{$_SERVER['HTTP_HOST']}}} instead of
 {{{$_SERVER['SERVER_NAME']}}}.

 However, you should be extremely careful about this. {{{HTTP_HOST}}} is
 sent in the request by the client and could contain malicious data to
 perform an attack.

 Usually, proxies, load balancers and so on will send the original
 information in a separate header. In an ideal case, you get these three:
  1. {{{X-Forwarded-For}}} (contains the IP address of the client, as the
 {{{REMOTE_ADDR}}} is the load balancer or proxy)
  1. {{{X-Forwarded-Host}}} (the external host name)
  1. {{{X-Forwarded-Port}}} (the external port)

 These are then available as {{{HTTP_X_FORWARDED_FOR}}} etc.

 That's probably not going to help in your case as you use a CGI
 dispatcher; however, it might set the original information in {{{$_ENV}}},
 did you look there?

 I'm closing this ticket for now. Please do not hesitate to open it again
 if the suggested approach does not solve your problem, or (better), shoot
 a mail to the mailing list to discuss the issue or ask on the IRC channel.

-- 
Ticket URL: <http://trac.agavi.org/ticket/547#comment:3>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5


_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets

Reply via email to