feat(file_get_contents): Remove problematic headers for AppSec request

crowdsecurity · Oct 18, 2024 · 1d47e6c · 1d47e6c
1 parent 639afd3
commit 1d47e6c
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,17 @@ As far as possible, we try to adhere to [Symfony guidelines](https://symfony.com
 
 ---
 
+## [2.3.2](https://github.com/crowdsecurity/php-common/releases/tag/v2.3.2) - 2024-10-18
+[_Compare with previous release_](https://github.com/crowdsecurity/php-common/compare/v2.3.1...v2.3.2)
+
+
+### Fixed
+
+- Remove `Content-Length` header during `file_get_contents` call for AppSec request
+- Remove `Host` header during `file_get_contents` call for AppSec request only
+
+---
+
 ## [2.3.1](https://github.com/crowdsecurity/php-common/releases/tag/v2.3.1) - 2024-10-16
 [_Compare with previous release_](https://github.com/crowdsecurity/php-common/compare/v2.3.0...v2.3.1)
 

diff --git a/src/Client/RequestHandler/FileGetContents.php b/src/Client/RequestHandler/FileGetContents.php
@@ -126,19 +126,26 @@ protected function getResponseHttpCode(array $parts): int
     private function createContextConfig(Request $request): array
     {
         $headers = $request->getValidatedHeaders();
-        /**
-         * It's not recommended to set the Host header when using file_get_contents (with follow_location).
-         *
-         * @see https://www.php.net/manual/en/context.http.php#context.http.header
-         * As it was causing issues with PHP 7.2, we are removing it.
-         * For AppSec requests, original host is sent in the X-Crowdsec-Appsec-Host header.
-         */
-        unset($headers['Host']);
         $isAppSec = $request instanceof AppSecRequest;
         $rawBody = '';
         if ($isAppSec) {
             /** @var AppSecRequest $request */
             $rawBody = $request->getRawBody();
+            /**
+             * It's not recommended to set the Host header when using file_get_contents (with follow_location).
+             *
+             * @see https://www.php.net/manual/en/context.http.php#context.http.header
+             * As it was causing issues with PHP 7.2, we are removing it.
+             * In all cases, for AppSec requests, the originating host is sent in the X-Crowdsec-Appsec-Host header.
+             */
+            unset($headers['Host']);
+            /**
+             * As we are sending the original request Content-Length's header,
+             * it differs from content-length that should be to sent to AppSec.
+             * We are removing it because file_get_contents does not automatically calculate this header,
+             * unlike cURL, and keeping it would result in a 400 error (bad request) from AppSec.
+             */
+            unset($headers['Content-Length']);
         }
         $header = $this->convertHeadersToString($headers);
         $method = $request->getMethod();

diff --git a/src/Constants.php b/src/Constants.php
@@ -131,7 +131,7 @@ class Constants
     /**
      * @var string The current version of this library
      */
-    public const VERSION = 'v2.3.1';
+    public const VERSION = 'v2.3.2';
     /**
      * @var string The version regex
      */

diff --git a/tests/Unit/CurlTest.php b/tests/Unit/CurlTest.php
@@ -306,6 +306,8 @@ public function testOptionsForAppSec()
             'X-Crowdsec-Appsec-Method' => 'test-value',
             'X-Crowdsec-Appsec-Uri' => 'test-value',
             'X-Crowdsec-Appsec-Api-Key' => 'test-value',
+            'Host' => 'test-value.com',
+            'Content-Length' => '123',
         ];
         $rawBody = 'this is raw body';
         $configs = $this->tlsConfigs;
@@ -329,6 +331,8 @@ public function testOptionsForAppSec()
                 'X-Crowdsec-Appsec-Method:test-value',
                 'X-Crowdsec-Appsec-Uri:test-value',
                 'X-Crowdsec-Appsec-Api-Key:test-value',
+                'Host:test-value.com',
+                'Content-Length:123',
             ],
             \CURLOPT_POST => true,
             \CURLOPT_POSTFIELDS => 'this is raw body',
@@ -369,6 +373,8 @@ public function testOptionsForAppSec()
                 'X-Crowdsec-Appsec-Method:test-value',
                 'X-Crowdsec-Appsec-Uri:test-value',
                 'X-Crowdsec-Appsec-Api-Key:test-value',
+                'Host:test-value.com',
+                'Content-Length:123',
                 'User-Agent:' . TestConstants::USER_AGENT_SUFFIX,
             ],
             \CURLOPT_POST => false,

diff --git a/tests/Unit/FileGetContentsTest.php b/tests/Unit/FileGetContentsTest.php
@@ -173,6 +173,7 @@ public function testContextConfigForAppSec()
             'X-Crowdsec-Appsec-Uri' => 'test-value',
             'X-Crowdsec-Appsec-Api-Key' => 'test-value',
             'Host' => 'test-value-should-be-removed',
+            'Content-Length' => 'test-value-should-be-removed',
             'Custom-Header' => 'test-value-should-be-kept',
         ];
         $rawBody = 'This is a raw body';