Nyholm / psr7-server

Helper classes to use any PSR7 implementation as your main request and response
MIT License
90 stars 21 forks source link

Duplicate host values in Host header when creating a Psr request from globals #48

Open paynl-wesley opened 3 years ago

paynl-wesley commented 3 years ago

When creating a PSR request from globals, the hostname is set twice in the Host header. This is not allowed according to the RFC:

A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field and to any request message that contains more than one Host header field or a Host header field with an invalid field-value.

The first hostname is added in the ServerRequest object constructor:

if (!$this->hasHeader('Host')) {
    $this->updateHostFromUri();
}

However, Host header is added again in the ServerRequestCreator class in the fromArrays() function here because it uses the withAddedHeader function:

foreach ($headers as $name => $value) {
    // Because PHP automatically casts array keys set with numeric strings to integers, we have to make sure
    // that numeric headers will not be sent along as integers, as withAddedHeader can only accept strings.
    if (\is_int($name)) {
        $name = (string) $name;
    }
    $serverRequest = $serverRequest->withAddedHeader($name, $value);
}

This results in the following Host header in the Psr request:

Host: hostname.tld, hostname.tld