core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon flightphp

Additionally request variable SERVER_NAME

Open EdMueller opened this issue 7 months ago • 1 comments

$this->app->request ()->host results in $_SERVER['HTTP_HOST'], which could be forged from outside.

Could you add a new variable e.g "servername" with $this->app->request ()->servername, which delivers the content of $_SERVER['SERVER_NAME']?

CAUTION: Note: Under Apache 2, UseCanonicalName = On and ServerName must be set. Otherwise, this value reflects the hostname supplied by the client, which can be spoofed. It is not safe to rely on this value in security-dependent contexts.

EdMueller avatar Jun 10 '25 09:06 EdMueller

Hey there,

I mean I could do that. You also have a couple options to approach this with.

You could extend the Request class and add it in yourself and then register that class. Something like:

// utils/MyRequest.php

class MyRequest extends flight\net\Request {

    protected string $servername

    public function init(array $properties = []): self
        $properties['servername'] = self::getVar('SERVER_NAME');
        parent::init($properties);
    }
}

// index.php or wherever
Flight::register('request', MyRequest::class);

You also could just use Request::getVar('SERVER_NAME') in your code to pull that value out as well.

I'll consider putting this in a future release though.

n0nag0n avatar Jun 12 '25 20:06 n0nag0n

This will be merged in next version https://github.com/flightphp/core/pull/651

n0nag0n avatar Jun 21 '25 19:06 n0nag0n