Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Response headers include received Authorization header #130

Closed
geirp opened this issue Sep 26, 2019 · 4 comments · Fixed by #151
Closed

Response headers include received Authorization header #130

geirp opened this issue Sep 26, 2019 · 4 comments · Fixed by #151
Labels
bug

Comments

@geirp
Copy link

geirp commented Sep 26, 2019

The Response constructor will by default create a Headers object to collect headers to be sent. The Headers constructor will call setHeaders() which will call parseAuthorizationHeader(). parseAuthorizationHeader() will try to create an Authorization header from data found in $_SERVER.

The result of this is that the Response headers include a copy of the Authorization header received in the request being processed.

The code comment for parseAuthorizationHeader() reads: "Parse incoming headers and determine Authorization header from original headers". My interpretation is that this code was never intended to be used for a Response.
@l0gicgate
Copy link
Member

We need to fix this @adriansuter . This is definitely a bug. We may have to create RequestHeaders and ResponseHeaders which will could extend an abstract Headers object instead so we can differentiate their origins. While they are similar, parseAuthorizationHeader should not be called when we instantiate response headers.

@l0gicgate l0gicgate added the bug label Jan 28, 2020
@adriansuter
Copy link
Contributor

adriansuter commented Jan 29, 2020
edited
Loading

Isn't it possible to simply provide the globals here, or do we need them elsewhere?

Slim-Psr7/src/Response.php

Line 127 in 1f8bb50

$this->headers = $headers ? $headers : new Headers();

That is

        $this->headers = $headers ? $headers : new Headers([], []);

I quickly made a test and run phpunit.

    // \Slim\Tests\Psr7\ResponseTest
    public function testResponseHeadersDoNotContainAuthorizationHeader()
    {
        $_SERVER = Environment::mock(
            [
                'PHP_AUTH_USER' => 'foo'
            ]
        );

        $response = new Response();
        $this->assertEmpty($response->getHeaders());
    }

https://github.com/adriansuter/Slim-Psr7/blob/3ae1689e9b8177d50ec35de1ba35fa93dd28e4f4/tests/ResponseTest.php#L170-L180

The test fails without the modification mentioned above. But with the change, all tests succeed. Could that be a BC? Is it too hackish?

@adriansuter
Copy link
Contributor

@l0gicgate what do you think?

@l0gicgate
Copy link
Member

@adriansuter that would also work yes. Probably the simplest fix.

@adriansuter adriansuter mentioned this issue Feb 8, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix Authorization Headers adriansuter/Slim-Psr7
3 participants
@geirp @adriansuter @l0gicgate