jakubboucek / safe-request
Safe HTTP Request: extension of Nette Request object, but sanitized from known safety issues
Requires
- php: ^7.4 || ^8.0 || ^8.1 || ^8.2 || ^8.3
- nette/http: ^3.0 || ^3.1
Requires (Dev)
- nette/tester: ^2.4
This package is auto-updated.
Last update: 2024-11-13 16:32:41 UTC
README
Safe HTTP Request: extension of Nette Request object, but sanitized from known safety issues.
Sanitized issues
- Using Nette
RequestFactory
can cause to leak user's Basic auth credentials, because it by-default creating theUrl
object with that and used to create back-link URLs (issue nette/http#215). It's fixed at PR#211, but not yet released (and probably fix it will be never available for PHP < 8.0). - Call of
Request->getReferer()
method can cause to crash App, because evil client can call request with invalidReferer
header (issue nette/http#215). It's fixed at eb3f6d1980c0b2552a13f5eb944d37515072c998, but only with mark method as deprecated and not yet released (and probably fix it will be never available for PHP < 8.0). - Call of
Request->getRemoteHost()
method can cause to slow or stuck your App, becauseRequest
object is trying contact DNS server on every read of property (issue nette/http#218).
Package requires the nette/http
package, it's not replacing it, just
extending it.
Features
- Removes sensitive data from
Request
->Url
object. - Fixes app crash on request with invalid Referer.
- Fixes performance issue with Remote Host.
Install
composer require jakubboucek/safe-request
Usage
Instead:
$request = (new \Nette\Http\RequestFactory)->fromGlobals();
Use:
$request = (new \JakubBoucek\SafeRequest\SafeRequestFactory)->fromGlobals();
You can get Basic Auth User Credential with:
$user = $request->getUser(); $pass = $request->getPassword();
You can get Url
with Basic Auth User Credential with:
$url = $request->getUrlWithUserCredential(); echo $url; // http://user:password@example.com/
Contributing
Please don't hesitate send Issue or Pull Request.
Security
If you discover any security related issues, please email pan@jakubboucek.cz instead of using the issue tracker.
License
The MIT License (MIT). Please see License File for more information.
Origin code licences
Copyright (c) 2004, 2014 David Grudl (https://davidgrudl.com) All rights reserved. Please see License File for more information.