Commit 0bf39f6e by pzaremba

Adding support for the X-HTTP-Method-Override header.

parent 9779e9c9
...@@ -4,6 +4,7 @@ Yii Framework 2 Change Log ...@@ -4,6 +4,7 @@ Yii Framework 2 Change Log
2.0.0 beta under development 2.0.0 beta under development
---------------------------- ----------------------------
- Enh: Adding support for the `X-HTTP-Method-Override` header in `yii\web\Request::getMethod()`.
- Bug #1265: AssetController does not override 'js' and 'css' for compressed bundles (klimov-paul) - Bug #1265: AssetController does not override 'js' and 'css' for compressed bundles (klimov-paul)
- Bug #1326: The `visible` setting for `DetailView` doesn't work as expected (qiangxue) - Bug #1326: The `visible` setting for `DetailView` doesn't work as expected (qiangxue)
- Bug #1412: `FileValidator` and `ImageValidator` still trigger `uploadRequired` error in some case when `skipOnEmpty` is true and no upload is provided (qiangxue) - Bug #1412: `FileValidator` and `ImageValidator` still trigger `uploadRequired` error in some case when `skipOnEmpty` is true and no upload is provided (qiangxue)
......
...@@ -79,6 +79,7 @@ use yii\helpers\StringHelper; ...@@ -79,6 +79,7 @@ use yii\helpers\StringHelper;
*/ */
class Request extends \yii\base\Request class Request extends \yii\base\Request
{ {
/** /**
* The name of the HTTP header for sending CSRF token. * The name of the HTTP header for sending CSRF token.
*/ */
...@@ -88,7 +89,6 @@ class Request extends \yii\base\Request ...@@ -88,7 +89,6 @@ class Request extends \yii\base\Request
*/ */
const CSRF_MASK_LENGTH = 8; const CSRF_MASK_LENGTH = 8;
/** /**
* @var boolean whether to enable CSRF (Cross-Site Request Forgery) validation. Defaults to true. * @var boolean whether to enable CSRF (Cross-Site Request Forgery) validation. Defaults to true.
* When CSRF validation is enabled, forms submitted to an Yii Web application must be originated * When CSRF validation is enabled, forms submitted to an Yii Web application must be originated
...@@ -146,9 +146,7 @@ class Request extends \yii\base\Request ...@@ -146,9 +146,7 @@ class Request extends \yii\base\Request
* @see getBodyParams() * @see getBodyParams()
*/ */
public $parsers = []; public $parsers = [];
private $_cookies; private $_cookies;
/** /**
* @var array the headers in this collection (indexed by the header names) * @var array the headers in this collection (indexed by the header names)
*/ */
...@@ -210,6 +208,8 @@ class Request extends \yii\base\Request ...@@ -210,6 +208,8 @@ class Request extends \yii\base\Request
{ {
if (isset($_POST[$this->methodVar])) { if (isset($_POST[$this->methodVar])) {
return strtoupper($_POST[$this->methodVar]); return strtoupper($_POST[$this->methodVar]);
} elseif (isset($_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'])) {
return strtoupper($_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE']);
} else { } else {
return isset($_SERVER['REQUEST_METHOD']) ? strtoupper($_SERVER['REQUEST_METHOD']) : 'GET'; return isset($_SERVER['REQUEST_METHOD']) ? strtoupper($_SERVER['REQUEST_METHOD']) : 'GET';
} }
...@@ -748,8 +748,7 @@ class Request extends \yii\base\Request ...@@ -748,8 +748,7 @@ class Request extends \yii\base\Request
*/ */
public function getIsSecureConnection() public function getIsSecureConnection()
{ {
return isset($_SERVER['HTTPS']) && (strcasecmp($_SERVER['HTTPS'], 'on') === 0 || $_SERVER['HTTPS'] == 1) return isset($_SERVER['HTTPS']) && (strcasecmp($_SERVER['HTTPS'], 'on') === 0 || $_SERVER['HTTPS'] == 1) || isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strcasecmp($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') === 0;
|| isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strcasecmp($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') === 0;
} }
/** /**
...@@ -953,7 +952,8 @@ class Request extends \yii\base\Request ...@@ -953,7 +952,8 @@ class Request extends \yii\base\Request
$n = preg_match_all('/\s*([\w\/\-\*]+)\s*(?:;\s*q\s*=\s*([\d\.]+))?[^,]*/', $header, $matches, PREG_SET_ORDER); $n = preg_match_all('/\s*([\w\/\-\*]+)\s*(?:;\s*q\s*=\s*([\d\.]+))?[^,]*/', $header, $matches, PREG_SET_ORDER);
for ($i = 0; $i < $n; ++$i) { for ($i = 0; $i < $n; ++$i) {
if (!empty($matches[$i][1])) { if (!empty($matches[$i][1])) {
$accepts[] = [$matches[$i][1], isset($matches[$i][2]) ? (float)$matches[$i][2] : 1, $i]; $accepts[] = [$matches[$i][1], isset($matches[$i][2]) ? (float)$matches[$i][2] : 1,
$i];
} }
} }
usort($accepts, function ($a, $b) { usort($accepts, function ($a, $b) {
...@@ -1194,8 +1194,7 @@ class Request extends \yii\base\Request ...@@ -1194,8 +1194,7 @@ class Request extends \yii\base\Request
} }
$trueToken = $this->getCookies()->getValue($this->csrfVar); $trueToken = $this->getCookies()->getValue($this->csrfVar);
$token = $this->getBodyParam($this->csrfVar); $token = $this->getBodyParam($this->csrfVar);
return $this->validateCsrfTokenInternal($token, $trueToken) return $this->validateCsrfTokenInternal($token, $trueToken) || $this->validateCsrfTokenInternal($this->getCsrfTokenFromHeader(), $trueToken);
|| $this->validateCsrfTokenInternal($this->getCsrfTokenFromHeader(), $trueToken);
} }
private function validateCsrfTokenInternal($token, $trueToken) private function validateCsrfTokenInternal($token, $trueToken)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment