You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
468 lines
11 KiB
468 lines
11 KiB
<?php
|
|
|
|
/**
|
|
* CodeIgniter
|
|
*
|
|
* An open source application development framework for PHP
|
|
*
|
|
* This content is released under the MIT License (MIT)
|
|
*
|
|
* Copyright (c) 2014-2019 British Columbia Institute of Technology
|
|
* Copyright (c) 2019 CodeIgniter Foundation
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
* of this software and associated documentation files (the "Software"), to deal
|
|
* in the Software without restriction, including without limitation the rights
|
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
* copies of the Software, and to permit persons to whom the Software is
|
|
* furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice shall be included in
|
|
* all copies or substantial portions of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
* THE SOFTWARE.
|
|
*
|
|
* @package CodeIgniter
|
|
* @author CodeIgniter Dev Team
|
|
* @copyright 2019 CodeIgniter Foundation
|
|
* @license https://opensource.org/licenses/MIT MIT License
|
|
* @link https://codeigniter.com
|
|
* @since Version 4.0.0
|
|
* @filesource
|
|
*/
|
|
|
|
namespace CodeIgniter\HTTP;
|
|
|
|
/**
|
|
* Representation of an HTTP request.
|
|
*/
|
|
class Request extends Message implements RequestInterface
|
|
{
|
|
|
|
/**
|
|
* IP address of the current user.
|
|
*
|
|
* @var string
|
|
*/
|
|
protected $ipAddress = '';
|
|
|
|
/**
|
|
* Proxy IPs
|
|
*
|
|
* @var string|array
|
|
*/
|
|
protected $proxyIPs;
|
|
|
|
/**
|
|
* Request method.
|
|
*
|
|
* @var string
|
|
*/
|
|
protected $method;
|
|
|
|
/**
|
|
* Stores values we've retrieved from
|
|
* PHP globals.
|
|
*
|
|
* @var array
|
|
*/
|
|
protected $globals = [];
|
|
|
|
//--------------------------------------------------------------------
|
|
|
|
/**
|
|
* Constructor.
|
|
*
|
|
* @param object $config
|
|
*/
|
|
public function __construct($config)
|
|
{
|
|
$this->proxyIPs = $config->proxyIPs;
|
|
|
|
if (empty($this->method))
|
|
{
|
|
$this->method = $this->getServer('REQUEST_METHOD') ?? 'GET';
|
|
}
|
|
}
|
|
|
|
//--------------------------------------------------------------------
|
|
|
|
/**
|
|
* Gets the user's IP address.
|
|
*
|
|
* @return string IP address
|
|
*/
|
|
public function getIPAddress(): string
|
|
{
|
|
if (! empty($this->ipAddress))
|
|
{
|
|
return $this->ipAddress;
|
|
}
|
|
|
|
$proxy_ips = $this->proxyIPs;
|
|
if (! empty($this->proxyIPs) && ! is_array($this->proxyIPs))
|
|
{
|
|
$proxy_ips = explode(',', str_replace(' ', '', $this->proxyIPs));
|
|
}
|
|
|
|
$this->ipAddress = $this->getServer('REMOTE_ADDR');
|
|
|
|
if ($proxy_ips)
|
|
{
|
|
foreach (['HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP'] as $header)
|
|
{
|
|
if (($spoof = $this->getServer($header)) !== null)
|
|
{
|
|
// Some proxies typically list the whole chain of IP
|
|
// addresses through which the client has reached us.
|
|
// e.g. client_ip, proxy_ip1, proxy_ip2, etc.
|
|
sscanf($spoof, '%[^,]', $spoof);
|
|
|
|
if (! $this->isValidIP($spoof))
|
|
{
|
|
$spoof = null;
|
|
}
|
|
else
|
|
{
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
if ($spoof)
|
|
{
|
|
for ($i = 0, $c = count($proxy_ips); $i < $c; $i ++)
|
|
{
|
|
// Check if we have an IP address or a subnet
|
|
if (strpos($proxy_ips[$i], '/') === false)
|
|
{
|
|
// An IP address (and not a subnet) is specified.
|
|
// We can compare right away.
|
|
if ($proxy_ips[$i] === $this->ipAddress)
|
|
{
|
|
$this->ipAddress = $spoof;
|
|
break;
|
|
}
|
|
|
|
continue;
|
|
}
|
|
|
|
// We have a subnet ... now the heavy lifting begins
|
|
isset($separator) || $separator = $this->isValidIP($this->ipAddress, 'ipv6') ? ':' : '.';
|
|
|
|
// If the proxy entry doesn't match the IP protocol - skip it
|
|
if (strpos($proxy_ips[$i], $separator) === false)
|
|
{
|
|
continue;
|
|
}
|
|
|
|
// Convert the REMOTE_ADDR IP address to binary, if needed
|
|
if (! isset($ip, $sprintf))
|
|
{
|
|
if ($separator === ':')
|
|
{
|
|
// Make sure we're have the "full" IPv6 format
|
|
$ip = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($this->ipAddress, ':')), $this->ipAddress
|
|
)
|
|
);
|
|
|
|
for ($j = 0; $j < 8; $j ++)
|
|
{
|
|
$ip[$j] = intval($ip[$j], 16);
|
|
}
|
|
|
|
$sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b';
|
|
}
|
|
else
|
|
{
|
|
$ip = explode('.', $this->ipAddress);
|
|
$sprintf = '%08b%08b%08b%08b';
|
|
}
|
|
|
|
$ip = vsprintf($sprintf, $ip);
|
|
}
|
|
|
|
// Split the netmask length off the network address
|
|
sscanf($proxy_ips[$i], '%[^/]/%d', $netaddr, $masklen);
|
|
|
|
// Again, an IPv6 address is most likely in a compressed form
|
|
if ($separator === ':')
|
|
{
|
|
$netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr));
|
|
for ($i = 0; $i < 8; $i ++)
|
|
{
|
|
$netaddr[$i] = intval($netaddr[$i], 16);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
$netaddr = explode('.', $netaddr);
|
|
}
|
|
|
|
// Convert to binary and finally compare
|
|
if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0)
|
|
{
|
|
$this->ipAddress = $spoof;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if (! $this->isValidIP($this->ipAddress))
|
|
{
|
|
return $this->ipAddress = '0.0.0.0';
|
|
}
|
|
|
|
return empty($this->ipAddress) ? '' : $this->ipAddress;
|
|
}
|
|
|
|
//--------------------------------------------------------------------
|
|
|
|
/**
|
|
* Validate an IP address
|
|
*
|
|
* @param string $ip IP Address
|
|
* @param string $which IP protocol: 'ipv4' or 'ipv6'
|
|
*
|
|
* @return boolean
|
|
*/
|
|
public function isValidIP(string $ip = null, string $which = null): bool
|
|
{
|
|
switch (strtolower( (string) $which))
|
|
{
|
|
case 'ipv4':
|
|
$which = FILTER_FLAG_IPV4;
|
|
break;
|
|
case 'ipv6':
|
|
$which = FILTER_FLAG_IPV6;
|
|
break;
|
|
default:
|
|
$which = null;
|
|
break;
|
|
}
|
|
|
|
return (bool) filter_var($ip, FILTER_VALIDATE_IP, $which);
|
|
}
|
|
|
|
//--------------------------------------------------------------------
|
|
|
|
/**
|
|
* Get the request method.
|
|
*
|
|
* @param boolean $upper Whether to return in upper or lower case.
|
|
*
|
|
* @return string
|
|
*/
|
|
public function getMethod(bool $upper = false): string
|
|
{
|
|
return ($upper) ? strtoupper($this->method) : strtolower($this->method);
|
|
}
|
|
|
|
//--------------------------------------------------------------------
|
|
|
|
/**
|
|
* Sets the request method. Used when spoofing the request.
|
|
*
|
|
* @param string $method
|
|
*
|
|
* @return Request
|
|
*/
|
|
public function setMethod(string $method)
|
|
{
|
|
$this->method = $method;
|
|
|
|
return $this;
|
|
}
|
|
|
|
//--------------------------------------------------------------------
|
|
|
|
/**
|
|
* Fetch an item from the $_SERVER array.
|
|
*
|
|
* @param string|array|null $index Index for item to be fetched from $_SERVER
|
|
* @param integer|null $filter A filter name to be applied
|
|
* @param null $flags
|
|
*
|
|
* @return mixed
|
|
*/
|
|
public function getServer($index = null, $filter = null, $flags = null)
|
|
{
|
|
return $this->fetchGlobal('server', $index, $filter, $flags);
|
|
}
|
|
|
|
//--------------------------------------------------------------------
|
|
|
|
/**
|
|
* Fetch an item from the $_ENV array.
|
|
*
|
|
* @param null $index Index for item to be fetched from $_ENV
|
|
* @param null $filter A filter name to be applied
|
|
* @param null $flags
|
|
*
|
|
* @return mixed
|
|
*/
|
|
public function getEnv($index = null, $filter = null, $flags = null)
|
|
{
|
|
return $this->fetchGlobal('env', $index, $filter, $flags);
|
|
}
|
|
|
|
//--------------------------------------------------------------------
|
|
|
|
/**
|
|
* Allows manually setting the value of PHP global, like $_GET, $_POST, etc.
|
|
*
|
|
* @param string $method
|
|
* @param $value
|
|
*
|
|
* @return $this
|
|
*/
|
|
public function setGlobal(string $method, $value)
|
|
{
|
|
$this->globals[$method] = $value;
|
|
|
|
return $this;
|
|
}
|
|
|
|
//--------------------------------------------------------------------
|
|
|
|
/**
|
|
* Fetches one or more items from a global, like cookies, get, post, etc.
|
|
* Can optionally filter the input when you retrieve it by passing in
|
|
* a filter.
|
|
*
|
|
* If $type is an array, it must conform to the input allowed by the
|
|
* filter_input_array method.
|
|
*
|
|
* http://php.net/manual/en/filter.filters.sanitize.php
|
|
*
|
|
* @param string $method Input filter constant
|
|
* @param string|array|null $index
|
|
* @param integer|null $filter Filter constant
|
|
* @param mixed $flags
|
|
*
|
|
* @return mixed
|
|
*/
|
|
public function fetchGlobal($method, $index = null, $filter = null, $flags = null)
|
|
{
|
|
$method = strtolower($method);
|
|
|
|
if (! isset($this->globals[$method]))
|
|
{
|
|
$this->populateGlobals($method);
|
|
}
|
|
|
|
// Null filters cause null values to return.
|
|
if (is_null($filter))
|
|
{
|
|
$filter = FILTER_DEFAULT;
|
|
}
|
|
|
|
// Return all values when $index is null
|
|
if (is_null($index))
|
|
{
|
|
$values = [];
|
|
foreach ($this->globals[$method] as $key => $value)
|
|
{
|
|
$values[$key] = is_array($value)
|
|
? $this->fetchGlobal($method, $key, $filter, $flags)
|
|
: filter_var($value, $filter, $flags);
|
|
}
|
|
|
|
return $values;
|
|
}
|
|
|
|
// allow fetching multiple keys at once
|
|
if (is_array($index))
|
|
{
|
|
$output = [];
|
|
|
|
foreach ($index as $key)
|
|
{
|
|
$output[$key] = $this->fetchGlobal($method, $key, $filter, $flags);
|
|
}
|
|
|
|
return $output;
|
|
}
|
|
|
|
// Does the index contain array notation?
|
|
if (($count = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $index, $matches)) > 1)
|
|
{
|
|
$value = $this->globals[$method];
|
|
for ($i = 0; $i < $count; $i++)
|
|
{
|
|
$key = trim($matches[0][$i], '[]');
|
|
|
|
if ($key === '') // Empty notation will return the value as array
|
|
{
|
|
break;
|
|
}
|
|
|
|
if (isset($value[$key]))
|
|
{
|
|
$value = $value[$key];
|
|
}
|
|
else
|
|
{
|
|
return null;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (! isset($value))
|
|
{
|
|
$value = $this->globals[$method][$index] ?? null;
|
|
}
|
|
|
|
// Cannot filter these types of data automatically...
|
|
if (is_array($value) || is_object($value) || is_null($value))
|
|
{
|
|
return $value;
|
|
}
|
|
|
|
return filter_var($value, $filter, $flags);
|
|
}
|
|
|
|
//--------------------------------------------------------------------
|
|
|
|
/**
|
|
* Saves a copy of the current state of one of several PHP globals
|
|
* so we can retrieve them later.
|
|
*
|
|
* @param string $method
|
|
*/
|
|
protected function populateGlobals(string $method)
|
|
{
|
|
if (! isset($this->globals[$method]))
|
|
{
|
|
$this->globals[$method] = [];
|
|
}
|
|
|
|
// Don't populate ENV as it might contain
|
|
// sensitive data that we don't want to get logged.
|
|
switch($method)
|
|
{
|
|
case 'get':
|
|
$this->globals['get'] = $_GET;
|
|
break;
|
|
case 'post':
|
|
$this->globals['post'] = $_POST;
|
|
break;
|
|
case 'request':
|
|
$this->globals['request'] = $_REQUEST;
|
|
break;
|
|
case 'cookie':
|
|
$this->globals['cookie'] = $_COOKIE;
|
|
break;
|
|
case 'server':
|
|
$this->globals['server'] = $_SERVER;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|