SMusatov
/
frankenphp
mirror of https://github.com/dunglas/frankenphp


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221
							package frankenphp

import "C"
import (
	"crypto/tls"
	"net"
	"net/http"
	"path/filepath"
	"strings"
)

type serverKey int

const (
	contentLength serverKey = iota
	documentRoot
	documentUri
	gatewayInterface
	httpHost
	https
	pathInfo
	phpSelf
	remoteAddr
	remoteHost
	remotePort
	requestScheme
	scriptFilename
	scriptName
	serverName
	serverPort
	serverProtocol
	serverSoftware
	sslProtocol
)

func allocServerVariable(cArr *[27]*C.char, env map[string]string, serverKey serverKey, envKey string, val string) {
	if val, ok := env[envKey]; ok {
		cArr[serverKey] = C.CString(val)
		delete(env, envKey)

		return
	}

	cArr[serverKey] = C.CString(val)
}

// computeKnownVariables returns a set of CGI environment variables for the request.
//
// TODO: handle this case https://github.com/caddyserver/caddy/issues/3718
// Inspired by https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go
func computeKnownVariables(request *http.Request) (cArr [27]*C.char) {
	fc, fcOK := FromContext(request.Context())
	if !fcOK {
		panic("not a FrankenPHP request")
	}

	// Separate remote IP and port; more lenient than net.SplitHostPort
	var ip, port string
	if idx := strings.LastIndex(request.RemoteAddr, ":"); idx > -1 {
		ip = request.RemoteAddr[:idx]
		port = request.RemoteAddr[idx+1:]
	} else {
		ip = request.RemoteAddr
	}

	// Remove [] from IPv6 addresses
	ip = strings.Replace(ip, "[", "", 1)
	ip = strings.Replace(ip, "]", "", 1)

	ra, raOK := fc.env["REMOTE_ADDR"]
	if raOK {
		cArr[remoteAddr] = C.CString(ra)
		delete(fc.env, "REMOTE_ADDR")
	} else {
		cArr[remoteAddr] = C.CString(ip)
	}

	if rh, ok := fc.env["REMOTE_HOST"]; ok {
		cArr[remoteHost] = C.CString(rh) // For speed, remote host lookups disabled
		delete(fc.env, "REMOTE_HOST")
	} else {
		if raOK {
			cArr[remoteHost] = C.CString(ip)
		} else {
			cArr[remoteHost] = cArr[remoteAddr]
		}
	}

	allocServerVariable(&cArr, fc.env, remotePort, "REMOTE_PORT", port)
	allocServerVariable(&cArr, fc.env, documentRoot, "DOCUMENT_ROOT", fc.documentRoot)
	allocServerVariable(&cArr, fc.env, pathInfo, "PATH_INFO", fc.pathInfo)
	allocServerVariable(&cArr, fc.env, phpSelf, "PHP_SELF", request.URL.Path)
	allocServerVariable(&cArr, fc.env, documentUri, "DOCUMENT_URI", fc.docURI)
	allocServerVariable(&cArr, fc.env, scriptFilename, "SCRIPT_FILENAME", fc.scriptFilename)
	allocServerVariable(&cArr, fc.env, scriptName, "SCRIPT_NAME", fc.scriptName)

	var rs string
	if request.TLS == nil {
		rs = "http"
	} else {
		rs = "https"

		if h, ok := fc.env["HTTPS"]; ok {
			cArr[https] = C.CString(h)
			delete(fc.env, "HTTPS")
		} else {
			cArr[https] = C.CString("on")
		}

		// and pass the protocol details in a manner compatible with apache's mod_ssl
		// (which is why these have a SSL_ prefix and not TLS_).
		if p, ok := fc.env["SSL_PROTOCOL"]; ok {
			cArr[sslProtocol] = C.CString(p)
			delete(fc.env, "SSL_PROTOCOL")
		} else {
			if v, ok := tlsProtocolStrings[request.TLS.Version]; ok {
				cArr[sslProtocol] = C.CString(v)
			}
		}
	}
	allocServerVariable(&cArr, fc.env, requestScheme, "REQUEST_SCHEME", rs)

	reqHost, reqPort, _ := net.SplitHostPort(request.Host)

	if reqHost == "" {
		// whatever, just assume there was no port
		reqHost = request.Host
	}

	if reqPort == "" {
		// compliance with the CGI specification requires that
		// the SERVER_PORT variable MUST be set to the TCP/IP port number on which this request is received from the client
		// even if the port is the default port for the scheme and could otherwise be omitted from a URI.
		// https://tools.ietf.org/html/rfc3875#section-4.1.15
		switch rs {
		case "https":
			reqPort = "443"
		case "http":
			reqPort = "80"
		}
	}

	allocServerVariable(&cArr, fc.env, serverName, "SERVER_NAME", reqHost)
	if reqPort != "" {
		allocServerVariable(&cArr, fc.env, serverPort, "SERVER_PORT", reqPort)
	}

	// Variables defined in CGI 1.1 spec
	// Some variables are unused but cleared explicitly to prevent
	// the parent environment from interfering.

	// These values can not be override
	cArr[contentLength] = C.CString(request.Header.Get("Content-Length"))

	allocServerVariable(&cArr, fc.env, gatewayInterface, "GATEWAY_INTERFACE", "CGI/1.1")
	allocServerVariable(&cArr, fc.env, serverProtocol, "SERVER_PROTOCOL", request.Proto)
	allocServerVariable(&cArr, fc.env, serverSoftware, "SERVER_SOFTWARE", "FrankenPHP")
	allocServerVariable(&cArr, fc.env, httpHost, "HTTP_HOST", request.Host) // added here, since not always part of headers

	return
}

// splitPos returns the index where path should
// be split based on SplitPath.
//
// Adapted from https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go
// Copyright 2015 Matthew Holt and The Caddy Authors
func splitPos(fc *FrankenPHPContext, path string) int {
	if len(fc.splitPath) == 0 {
		return 0
	}

	lowerPath := strings.ToLower(path)
	for _, split := range fc.splitPath {
		if idx := strings.Index(lowerPath, strings.ToLower(split)); idx > -1 {
			return idx + len(split)
		}
	}
	return -1
}

// Map of supported protocols to Apache ssl_mod format
// Note that these are slightly different from SupportedProtocols in caddytls/config.go
var tlsProtocolStrings = map[uint16]string{
	tls.VersionTLS10: "TLSv1",
	tls.VersionTLS11: "TLSv1.1",
	tls.VersionTLS12: "TLSv1.2",
	tls.VersionTLS13: "TLSv1.3",
}

var headerNameReplacer = strings.NewReplacer(" ", "_", "-", "_")

// SanitizedPathJoin performs filepath.Join(root, reqPath) that
// is safe against directory traversal attacks. It uses logic
// similar to that in the Go standard library, specifically
// in the implementation of http.Dir. The root is assumed to
// be a trusted path, but reqPath is not; and the output will
// never be outside of root. The resulting path can be used
// with the local file system.
//
// Adapted from https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go
// Copyright 2015 Matthew Holt and The Caddy Authors
func sanitizedPathJoin(root, reqPath string) string {
	if root == "" {
		root = "."
	}

	path := filepath.Join(root, filepath.Clean("/"+reqPath))

	// filepath.Join also cleans the path, and cleaning strips
	// the trailing slash, so we need to re-add it afterwards.
	// if the length is 1, then it's a path to the root,
	// and that should return ".", so we don't append the separator.
	if strings.HasSuffix(reqPath, "/") && len(reqPath) > 1 {
		path += separator
	}

	return path
}

const separator = string(filepath.Separator)