Commit 0bf39f6e by pzaremba

Adding support for the X-HTTP-Method-Override header.

parent 9779e9c9
......@@ -4,6 +4,7 @@ Yii Framework 2 Change Log
2.0.0 beta under development
----------------------------
- Enh: Adding support for the `X-HTTP-Method-Override` header in `yii\web\Request::getMethod()`.
- Bug #1265: AssetController does not override 'js' and 'css' for compressed bundles (klimov-paul)
- Bug #1326: The `visible` setting for `DetailView` doesn't work as expected (qiangxue)
- Bug #1412: `FileValidator` and `ImageValidator` still trigger `uploadRequired` error in some case when `skipOnEmpty` is true and no upload is provided (qiangxue)
......
......@@ -79,6 +79,7 @@ use yii\helpers\StringHelper;
*/
class Request extends \yii\base\Request
{
/**
* The name of the HTTP header for sending CSRF token.
*/
......@@ -88,7 +89,6 @@ class Request extends \yii\base\Request
*/
const CSRF_MASK_LENGTH = 8;
/**
* @var boolean whether to enable CSRF (Cross-Site Request Forgery) validation. Defaults to true.
* When CSRF validation is enabled, forms submitted to an Yii Web application must be originated
......@@ -146,9 +146,7 @@ class Request extends \yii\base\Request
* @see getBodyParams()
*/
public $parsers = [];
private $_cookies;
/**
* @var array the headers in this collection (indexed by the header names)
*/
......@@ -210,6 +208,8 @@ class Request extends \yii\base\Request
{
if (isset($_POST[$this->methodVar])) {
return strtoupper($_POST[$this->methodVar]);
} elseif (isset($_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'])) {
return strtoupper($_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE']);
} else {
return isset($_SERVER['REQUEST_METHOD']) ? strtoupper($_SERVER['REQUEST_METHOD']) : 'GET';
}
......@@ -748,8 +748,7 @@ class Request extends \yii\base\Request
*/
public function getIsSecureConnection()
{
return isset($_SERVER['HTTPS']) && (strcasecmp($_SERVER['HTTPS'], 'on') === 0 || $_SERVER['HTTPS'] == 1)
|| isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strcasecmp($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') === 0;
return isset($_SERVER['HTTPS']) && (strcasecmp($_SERVER['HTTPS'], 'on') === 0 || $_SERVER['HTTPS'] == 1) || isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strcasecmp($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') === 0;
}
/**
......@@ -953,7 +952,8 @@ class Request extends \yii\base\Request
$n = preg_match_all('/\s*([\w\/\-\*]+)\s*(?:;\s*q\s*=\s*([\d\.]+))?[^,]*/', $header, $matches, PREG_SET_ORDER);
for ($i = 0; $i < $n; ++$i) {
if (!empty($matches[$i][1])) {
$accepts[] = [$matches[$i][1], isset($matches[$i][2]) ? (float)$matches[$i][2] : 1, $i];
$accepts[] = [$matches[$i][1], isset($matches[$i][2]) ? (float)$matches[$i][2] : 1,
$i];
}
}
usort($accepts, function ($a, $b) {
......@@ -1194,8 +1194,7 @@ class Request extends \yii\base\Request
}
$trueToken = $this->getCookies()->getValue($this->csrfVar);
$token = $this->getBodyParam($this->csrfVar);
return $this->validateCsrfTokenInternal($token, $trueToken)
|| $this->validateCsrfTokenInternal($this->getCsrfTokenFromHeader(), $trueToken);
return $this->validateCsrfTokenInternal($token, $trueToken) || $this->validateCsrfTokenInternal($this->getCsrfTokenFromHeader(), $trueToken);
}
private function validateCsrfTokenInternal($token, $trueToken)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment