jakubboucek/safe-request

Safe HTTP Request: extension of Nette Request object, but sanitized from known safety issues

v0.9.1 2024-03-13 15:04 UTC

This package is auto-updated.

Last update: 2024-11-13 16:32:41 UTC


README

Safe HTTP Request: extension of Nette Request object, but sanitized from known safety issues.

Sanitized issues

  1. Using Nette RequestFactory can cause to leak user's Basic auth credentials, because it by-default creating the Url object with that and used to create back-link URLs (issue nette/http#215). It's fixed at PR#211, but not yet released (and probably fix it will be never available for PHP < 8.0).
  2. Call of Request->getReferer() method can cause to crash App, because evil client can call request with invalid Referer header (issue nette/http#215). It's fixed at eb3f6d1980c0b2552a13f5eb944d37515072c998, but only with mark method as deprecated and not yet released (and probably fix it will be never available for PHP < 8.0).
  3. Call of Request->getRemoteHost() method can cause to slow or stuck your App, because Request object is trying contact DNS server on every read of property (issue nette/http#218).

Package requires the nette/http package, it's not replacing it, just extending it.

Features

  • Removes sensitive data from Request->Url object.
  • Fixes app crash on request with invalid Referer.
  • Fixes performance issue with Remote Host.

Install

composer require jakubboucek/safe-request

Usage

Instead:

$request = (new \Nette\Http\RequestFactory)->fromGlobals();

Use:

$request = (new \JakubBoucek\SafeRequest\SafeRequestFactory)->fromGlobals();

You can get Basic Auth User Credential with:

$user = $request->getUser();
$pass = $request->getPassword();

You can get Url with Basic Auth User Credential with:

$url = $request->getUrlWithUserCredential();
echo $url; // http://user:password@example.com/

Contributing

Please don't hesitate send Issue or Pull Request.

Security

If you discover any security related issues, please email pan@jakubboucek.cz instead of using the issue tracker.

License

The MIT License (MIT). Please see License File for more information.

Origin code licences

Copyright (c) 2004, 2014 David Grudl (https://davidgrudl.com) All rights reserved. Please see License File for more information.