Nette 2.4

This code from docs generates the exception: Call to undefined method Nette\Http\RequestFactory::addUrlFilter():

$requestFactory = new Nette\Http\RequestFactory;
$requestFactory->addUrlFilter('%20', '', PHP_URL_PATH);

Load balancers or proxies adds client IP to the end of X-Forwarded-For header.

So if site is behind trusted proxy, we set it by setProxy method and client sends spoofed X-Forwarded-For header then existing RequestFactory code interprets it as real client IP. Because proxy adds his real IP to the end but RequestFactory code gets the first IP from $_SERVER["HTTP_X_FORWARDED_FOR"] array.

Correct solution should be that we check $_SERVER["HTTP_X_FORWARDED_FOR"] array from the end compare to known trusted proxy array (set by setProxy) and use endmost IP that doesn't match any of know proxy IPs.

OK Example:
Site is behind 2 consecutive load balancers: 10.0.0.1 and 10.0.0.2. Clients real IP is 192.168.1.1.
From client there is no X-Forwarded-For header. First proxy set X-Forwarded-For to 192.168.1.1. Second proxy appends IP of first proxy - header will be X-Forwarded-For: 192.168.1.1, 10.0.0.1.
In this case, everything would be alright - we take first IP and it equals to real client IP, but...

Fake IP Example:
Situation as same as previous example but client sends spoofed X-Forwarded-For header. It sends e.g. 172.16.0.1 in that header.
First proxy appends his real IP, second proxy appends IP of first proxy. We have X-Forwarded-For: 172.16.0.1, 192.168.1.1, 10.0.0.1
So RequestFactory uses fake IP as reference.

Version: dev

Bug Description

https://github.com/nette/http/blob/master/src/Http/FileUpload.php#L86

finfo_file returns FALSE, if an error occurred

got Return value of Nette\Http\FileUpload::getContentType() must be of the type string or null, boolean returned

Imagine this scenario:

$session->setOptions(array('save_handler' => 'redis');
$session->setHandler(new RedisStorageExtension);
$session->start(); //overrides my custom handler with native 'redis'

Nette/Session overrides custom handler on Session::start();

In my situation I cannot leave save_handler with default files value because my handler extends Redis handler, not the default one.
Setting handler after session start could help but session start is lazy and we don't know when it happens.

Edit: Documentation about session handler extensions http://php.net/manual/en/class.sessionhandler.php

//in unlimited session
Session::setOptions(['gc_maxlifetime' => '0']);

//set lifetime for section
$section = $session->getSection('foo');
$section->setExpiration(123);

Nette triggers notice The expiration time is greater than the session expiration 0 seconds

I it look like as chrome bug, because chrome remeber $_COOKIE[nette-browser].

My chrome Linux 43.0.2357.125 (64-bit).

I try this on sanbox.
Add to presenter:

public function handleSection() {
    $this->session->getSection('h4kuna')->value = 'ok';
    $this->redirect('this');
}


public function renderDefault() {
    $section = $this->session->getSection('h4kuna');
    $section->setExpiration(0);
    $this->template->section = $section->value ? : 'noValue';
}

add to latte:

<a n:href="section!">fill section</a>
<br>
value: {$section} <br>
cookie nette-browser: {ifset $_COOKIE['nette-browser']}{$_COOKIE['nette-browser']}{else}ok does not exists{/ifset}

And use case is:

• run page, you will see value: noValue
• click to anchor (change session value)
• close browser
• open browser and it is remebered value, i expect noValue

Can anyone confirm?

Firefox and Opera works fine.

Current Nette\Http\RequestFactory doesnt support adding default domain for the request

Problems starts when we need to generate links, after executing the script in CLI
eg.:

    MyCliPresenter->generateLinksAction() {
        echo $this->link('Homepage:default');
    }
    // outputs:  http:/// 

Whole problem could be solved by adding support for default values for domain and adding a bit of code for using them inside RequestFactory::createHttpRequest() method

        ...
        // after line 94 add
        // use default host, if we didnt get any from $SERVER.
        if (!$url->host)
        {
            $url->host = $this->domain;
        }

this->domain should be populated by setter function, with DI in setup

Another sollution is to use change RequestFactory to be easily extendebale, currently if we want to override createHttpRequest(), with own implementation, it fail when when the script tries to write to $this->binary as there is private access on the variable.
For easier extendebility createHttpRequest should be split to smaller pieces. eg. process Query, Hostnamem, Scheme, Binary, etc.

Bellow are 2 current solutions for the problem,

1. create own HttpRequest and add it as service instead of one generated by factory
2. change service for httpRequestFactory and HttpRequest for own classes.

bootstrap.php:

    ...
    /**
     * @param \Nette\Configurator $configurator
     * @param \Nette\DI\Compiler $compiler
     */
    $configurator->onCompile[] = function($configurator, $compiler)
    {
        $compiler->addExtension('cli_http', new CliModule\Http\CliHttpRequestExtension());
    };
    ...

CliHttpRequestExtension.php

    namespace CliModule\Http;

    use Nette\DI\CompilerExtension;
    use Nette\DI\Container;
    use Nette\DI\ContainerBuilder;
    use Nette\DI\ServiceDefinition;
    use Nette\Http\Request;
    use Nette\Http\UrlScript;
    use Nette\Utils\Strings;

    class CliHttpRequestExtension extends CompilerExtension
    {
        public function loadConfiguration()
        {
            $container = $this->getContainerBuilder();
            $config    = $this->getConfig();


            /** @var ContainerBuilder $container */
            if ($container->parameters['consoleMode']) {
                // ** variant 1 - create own Request object
                $url = new UrlScript();
                $url->setHost($container->parameters['domain']);
                $url->setScheme('http');

                $arguments = [
                    'url'           => $url,
                    'query'         => NULL,
                    'post'          => NULL,
                    'files'         => NULL,
                    'cookies'       => NULL,
                    'headers'       => NULL,
                    'method'        => NULL,
                    'remoteAddress' => NULL,
                    'remoteHost'    => NULL
                ];

                $container->removeDefinition('httpRequest');
                $container->addDefinition('httpRequest')->setClass('\Nette\Http\Request', $arguments);

                // ** varianta 2- use own RequestFactory **
    //            $container->removeDefinition('httpRequestFactory');
    //            $container->addDefinition('httpRequestFactory')
    //                ->setClass('CliModule\Http\CliRequestFactory')
    //                ->addSetup('setDomain', array($container->parameters['domain']));
    //
    //            $container->getDefinition('httpRequest')
    //                ->setFactory('@CliModule\\CliRequestFactory::createHttpRequest');
    //
            }
        }

    }

CliRequestFactory.php - direct copy of Request factory except added part after line 94

     ...
     public function createHttpRequest()
    {
        // DETECTS URI, base path and script path of the request.
        $url = new UrlScript;
        $url->scheme = !empty($_SERVER['HTTPS']) && strcasecmp($_SERVER['HTTPS'], 'off') ? 'https' : 'http';
        $url->user = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : '';
        $url->password = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : '';

        // host & port
        if ((isset($_SERVER[$tmp = 'HTTP_HOST']) || isset($_SERVER[$tmp = 'SERVER_NAME']))
            && preg_match('#^([a-z0-9_.-]+|\[[a-f0-9:]+\])(:\d+)?\z#i', $_SERVER[$tmp], $pair)
        ) {
            $url->host = strtolower($pair[1]);
            if (isset($pair[2])) {
                $url->port = (int) substr($pair[2], 1);
            } elseif (isset($_SERVER['SERVER_PORT'])) {
                $url->port = (int) $_SERVER['SERVER_PORT'];
            }
        }

        // Default vyplnenie Host-u
        if (!$url->host)
        {
            $url->host = $this->domain;
        }
        ...

Calling Url::setQuery() with non-empty array that only contains NULL values causes a question mark to appear at the end of the generated url.

MySQL's utf8 encoding does not support characters above U+FFFF. Using utf8 encoding and not removing characters above U+FFFF can be used to bypass input validation. You can for example use this to bypass minimum length requirement for thread title on Nette forum. See excellent presentation Hacking with Unicode for more practical examples.

Applications must either use utf8mb4 encoding (which supports full UTF-8) or remove all characters above U+FFFF. I think that Nette should support both approaches.

We should certainly allow removing characters above U+FFFF in RequestFactory and either make it default or change default encoding in Nette\Database to utf8mb4.

Note: utf8mb4 encoding is available since MySQL 5.5.3 (2010-03-24)

• bug report? yes
• feature request? no
• version: 2.4.6

Description

I found problem with restarting session after session ID was regenerated.
This is because \Nette\Http\Session::start() takes session ID always from request cookie. Invocation of \Nette\Http\Session::regenerateId() changes session ID. Closing session and starting session again changes session ID to value which is stored in cookie, but this session ID is already deleted.

Steps To Reproduce

$session = new Session();
$session->start(); // Session ID is taken from cookie.
$session->regenerateId(); // Session ID is changed.
$session->close(); // Session with old ID is deleted, session with new ID is written.
$session->start(); // Session ID is taken from cookie - PROBLEM 
// it is old session ID, not the regenerated one and all session data are lost

If there is https nginx proxy, our webhoster sets SERVER_PORT to 80 for the apache webserver. But the application runs over 443 and https. See their response and dumped headers.

Server headers dump:

HTTPS on
HTTP_HOST www.xxx.cz
HTTP_X_FORWARDED_HOST www.xxx.cz
HTTP_X_FORWARDED_SERVER www.xxx.cz
HTTP_X_FORWARDED_FOR 94.230.146.241
HTTP_FORWARDED_REQUEST_URI /test.php
HTTP_HTTP_X_FORWARDED_PROTO https
HTTP_HTTPS on
HTTP_X_FORWARDED_PROTO https
HTTP_X_FORWARDED_SSL on
SERVER_SIGNATURE no value
SERVER_SOFTWARE Apache
SERVER_NAME www.xxx.cz
SERVER_ADDR 127.0.0.1
SERVER_PORT 80

Response from the webhosting

The HTTPS header is properly set by our front end Nginx web server, as well as the 'X-Forwarded-SSL' header.

The problem here is that the $_SERVER['SERVER_PORT'] variable is always 80, since the Apache (sitting behind the Nginx) never receives HTTPS traffic, rather the front end Nginx does. You are relying on that variable to construct the HttpRequest object in

/home/xxx/webapps/xxx/vendor/nette/nette/NetteHttpRequestFactory.php on line 80:

if (isset($pair[2])) {
$url->port = (int) substr($pair[2], 1);
} elseif (isset($_SERVER['SERVER_PORT'])) {
$url->port = (int) $_SERVER['SERVER_PORT'];
}

...

WebFaction Support

When you want to set header Content-Type without charset attribute for type text/* then PHP 5.6 adds default charset into the header for you. However it could bring some problems in some cases (back compatibility for example). It is caused by usage of function sapi_apply_default_charset.

Working solution follows

$default_charset = ini_get('default_charset');
ini_set('default_charset', NULL);
// set header
ini_set('default_charset', $default_charset);

I am not sure if it should be solved by Nette. However Nette supports passing charset as second parameter to method IResponse::setContentType so it could. What do you think?

Current implementation of binary mode (RequestFactory::setBinary()) is stupid and encourages insecure behavior, because I usually want to transfer only a single parameter in binary. To achieve that user should not disable UTF-8 validation on all input parameters.

We should either

• remove the binary mode entirely or
• improve it to support binary mode only for parameter with certain name.

Currently I'm in favor of the first option for the following reasons:

• transporting binary data is rare
• users can very easily just use $_GET['binaryData'] or $_POST['binaryData'] – its ugly but practical
• users can implement wrapper around RequstFactory which would allow specifying that certain parameters should be treated as binary.

Thoughts? cc @dg, @fprochazka

Note: If we choose the remove the binary mode entirely with the vision that users may implement custom wrapper around RequestFactory we may no longer throw exception (see #30 for related discussion) for invalid parameters.

I need to close session before long-runing operation, because unclosed session blocks other processes.

$session->start();
//working with session..
$session->close();

//long-running operation

$session->start();
//working with session..
$session->close();

It returns "headers already sent..". Cookie should not be sends again, if I call start() more times, or not?
Sorry for my English.

Is there any option how to get whole request uri from httpRequest->getUrl() for example when I want canonize url site.com/? to site.com/.

Character "?" is not included in returment of method getUrl().

I cannot use class Nette\HttpUrlScript "smoothly", as standalone (its needed for me for extending of Nette\Http\Request class).

For example:

$url = new \Nette\Http\UrlScript("http://nette.org/admin/script.php/pathinfo/?name=param#fragment");
echo $url->basePath; // expected '/admin/', but output is '/'

My suggestions:

You can specify in the constructor the minimum default functionality, suitable for most cases. My simple example:

class UrlScript extends Url
{
    ...

    public function __construct($url = NULL)
    {
        parent::__construct($url);
        $this->scriptPath =  $this->path;       
    }

    ...
}

With this patch any descendant class of UrlScript (if its instance was created standalone, not from RequestFactory), will have same behavioral as the class Url (in method getBasePath, getRelativeUrl and other).

• https://twitter.com/OndraM/status/448120575010308096
• https://wiki.php.net/rfc/strict_sessions

So... there is that :) What now?

Version: latest

Bug Description

In query parameters dots are replaces to underscode.
The bug is from internal PHP function parse_str, where . are replaced to _.

Steps To Reproduce

$url = new \Nette\Http\Url('test.xy?test.text=text');
return (string) $url; //returns: 'test.xy?test_text=text'

Expected Behavior

should return: test.xy?test.text=text

If nette called via PUT method, rawBody stay empty. If I try to read from php://input file_get_contents('php://input') after Nette\Http\RequestFactory::createHttpRequest() (in own router) there is right content.

Is it ok behavior?

There might be a bug in Forwarded implementation (#94) – I haven't delved deep into it, but just at first glance: RequestFactory checks for the scheme parameter in the header, while the RFC defines a proto parameter. Has anyone run into this issue and can confirm?

Here is a call of static method date on an instance of IResponse. This should be changed to static call Response::date.

Now you cannot be sure that $response has this method, because you require interface which doesn't have this method.

Request implements a couple of extra methods that are not defined in IRequest interface. Nette 3 deprecated autowiring of Request type, only autowiring via interface is now supported. This means that those extra methods are basically "inaccessible" for any consumer. I think those methods should be either added to the interface, or deprecated and eventually removed.

• getReferer(): ?Url - the interface already mentions this method in @method annotation, the annotation should be transformed to a proper method definition.
• isSameSite(): bool - this should be definitely added to the interface.
• detectLanguage(array $langs): ?string - this can be easily extracted to a separate service and removed from Request.

What are your thoughts? Shall I send a PR(s)?

Related to #137, #90

• bug report? yes
• feature request? no
• version: 2.4.2

Running security test suite

-- FAILED: SecurityExtension | tests/Security.DI/SecurityExtension.user.phpt
   Exited with error code 255 (expected 0)
   E_DEPRECATED: The each() function is deprecated. This message will be suppressed on further calls

Hi, after some testing, i figured out, that ipMatch function is not working correctly.

Example:
Network 192.168.1.0/24 (IPs: 192.168.1.0-192.168.1.255)
ipMatch(192.168.1.1, 192.168.1.0/24) -> true, great
ipMatch(192.168.2.1, 192.168.1.0/24) -> true, what isn't nice.

Even if tests are passing:

Assert::true( Helpers::ipMatch('192.168.68.233', '192.168.68.233') ); 

woks fine

Assert::false( Helpers::ipMatch('192.168.68.234', '192.168.68.233') );

works fine

Assert::true( Helpers::ipMatch('192.168.64.0', '192.168.68.233/12') );

Network 192.168.68.233/12 (IPs: 192.160.0.1-192.175.255.255)
fine, it's in subnet

Assert::false( Helpers::ipMatch('192.168.63.255', '192.168.68.233/12') );

not fine, even in subnet, but returns false

Assert::true( Helpers::ipMatch('192.168.79.254', '192.168.68.233/12') );

fine, in subnet

Assert::false( Helpers::ipMatch('192.168.80.0', '192.168.68.233/12') );

in subnet, but returns false

Assert::true( Helpers::ipMatch('127.0.0.1', '192.168.68.233/32') );

not sure, if this should return true

Maybe I missunderstood something, but this is how Mikrotik and Cisco devices are interpreting CIDR network.

Maybe, the logic of function is working backwards...

If I use 192.168.68.233/20 (192.168.64.0-192.168.79.255), it matches expected behaviour as seen in tests..

• bug report? yes
• feature request? no
• version: 2.4.5, the code in master looks the same

Description

Due to Response::setCookie() calling Helpers::removeDuplicateCookies(), it is not possible to delete a cookie with the same name from multiple domains.

Came upon it today when I found out there may be accidental cookies for subdomains in our project instead of one cookie for our root domain. Tried to delete all the cookies in the subdomains using Response, but failed.

A naive solution would be to put the Helpers::removeDuplicateCookies() call in a condition, which could be controlled by a parameter of Response::setCookie(), the same for Response::deleteCookie(), but these methods can be called from anywhere and even one call w/o the flag to not call the Helpers::removeDuplicateCookies() would break it.
Having this setting as a settable class property would probably work.
Actually I don't know why the Helpers::removeDuplicateCookies() is there, so I cannot really tell if it would make sense.

Steps To Reproduce

$response->deleteCookie('lang', null, 'sub.domain.com');
$response->deleteCookie('lang', null, 'domain.com');

• bug report? yes
• feature request? no
• version: 2.4

Description

Hi,
i have use case

$form->addUpload('csv')
    ->addRule($form::MIME_TYPE, 'Foo', 'text/*')
    // next line does not work
    ->addRule($form::PATTERN, 'Message', '*.csv');

I found in Validator::validatePattern where first parameter is (IControl)->getValue(). It's ok. If i look at (FileUploadControl)->getValue() you get FileUpload and method __toString return tmpName. Where is problem? I don't need run validation on temporary name, but on original name.

For first validation check extension of file. Please you don't write, this valid is not relevant. I can't use PATTERN validation for this moment.

Or throw exception, this rule is not relevant for FileUpload. Because here is wtf behavior.

I understant if you change return value in method __toString(), it can be BC break or anything worse.

• bug report? yes
• feature request? no
• version: 2.4.7

Hi, when i write $this->getHttpRequest()->getReferer() i encountered a problem when the IDE PhpStorm did not know about the getReferer() method. The reason is that the method is missing in IRequest. I want to ask if it is deliberate or a bug. It would be good either to add or add an appropriate annotation to the IDE to understand that the getReferer method is accessible.
...

Hi,
when I run nette application via standalone server (php -S localhost:8000) there is no port in links and redirects. E.g. there is link with localhost/somepage instead of localhost:8000/somepage.

I am running app on standalone server because of selenium tests and I have workaround with this in test's bootstrap:

Nette\Http\Url::$defaultPorts['http'] = 8000;

It works, but I think port should be used when creating links.

(It is on version 2.2.0)

• bug report? yes
• feature request? no
• version: 2.4.5

Description

Why in constructor foreach array is "type" value? Because this value is unused in constructor.

PHP 5.6 should land with a lazy write feature (RFC), configured using session_start parameter.
Basically the only new things are read only sessions (proposal 1) and lazy session writes (proposal 2). Read only sessions are not suitable for Nette. Lazy writes are more interesting as those write session changes only if anything was really changed which results in better performation.

Nette\Http\RequestFactory

If the 148 line includes:
foreach ($list as &$v)

dump files:
array (1)
files => array (1)
| 0 => NULL

BUT
If the 148 line includes:
while (list(, $v) = each($list))

dump files:
array (1)
files => array (1)
| 0 => Nette\Http\FileUpload #ee05

Where is problem? Thank you.

I'm trying to implement ajax upload today. However there is a problem with error handling. If I try to upload a too large file I get this error:

Possible problem: you are starting session while already having some data in output buffer. This may not work if the outputted data grows. Try starting the session earlier.

Session is started in Container::initialialize() of course. So I looked into the buffer and it contained this:

<b>Warning</b>: POST Content-Length of 360495939 bytes exceeds the limit of 31457280 bytes in <b>Unknown</b> on line <b>0</b><br />

This apparently is a PHP starup error. Everything works fine if I set the directive diplay_startup_errors to 0. But of course I don't want that - at least not in development.

Is there some other way to deal with this? If I'm not mistaken this pretty much means that Nette\Http\Session is incompatible with the directive diplay_startup_errors.

• https://github.com/nette/http/blob/master/src/Http/Session.php#L83
• https://github.com/php/php-src/blob/php-7.1.0RC2/UPGRADING#L100-L102

Session ID is generated from CSPNG directly. As a result, Session ID length
could be any length between 22 and 256. Note: Max size of session ID depends
on save handler you are using.

Recently I installed this addon to Google Chrome:

https://chrome.google.com/webstore/detail/host-switch-plus/bopepoejgapmihklfepohbilpkcdoaeo

its purpose is something like etc/hosts file with one single exception. If used, it sends HTTP requests like:

GET http://www.example.com/ HTTP/1.1

instead of

GET / HTTP/1.1

which seems to be valid according to https://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html

But Nette shows "no routes" and gives me 404.

Because RequestFactory.php where $_SEVER['REQUEST_URI'] is parsed cannot handle absolute URLs. I quick-fixed this simply by modifying urlFilters from:

    /** @var array */
    public $urlFilters = array(
        'path' => array('#/{2,}#' => '/'), // '%20' => ''
        'url' => array(), // '#[.,)]\z#' => ''
    );

to:

    /** @var array */
    public $urlFilters = array(
        'path' => array('#/{2,}#' => '/'), // '%20' => ''
        'url' => array('#^(http|ftp)s?://[^/]+/#' => '/'), // '#[.,)]\z#' => ''
    );

and it works, but I'm not sure if this is the best way to "fix" this.

• Bug report? yes
• Feature request? no
• Version: discovered in v2.3.8 (still present in v2.4.4)

Description

If Nette\Http\Session instance is configured using camelCase-styled option names, eg. cookiePath, cookieDomain, etc. (as it is presented in docs: https://doc.nette.org/cs/2.3/sessions). and the client does this:

0. (new request)
1. Set up the Session instance
   • Either with $session->setOptions(["cookieDomain" => ".domain.com"])
   • Or in Nette framework using .neon config
2. Start the session (do not output anything yet)
3. Close the session (do not output anything yet)
4. Start the session again (we should able to, we did not send any output yet)

The Nette\Http\Response's setCookie() method is being fired twice (and that's ok). But: the second call does NOT send the cookie's domain property properly - it is empty (as in PHP's default).

If Nette\Http\Session instance is configured using underscore_case-styled option names (eg. cookie_path, cookie_domain), everything works fine.

Steps To Reproduce

Minimum reproduction code: sessions_bug.zip

Expected behaviour

"Correct" (workaround-y) options:

$optionsOK = [
	"cookie_path" => "/",
	"cookie_domain" => ".domainok.com",
];

Expected output:

$ php index.php
Array
(
    [name] => PHPSESSID
    [value] => 3aeue4lsjhrhqs8de8ao8ilbp0
    [time] => 0
    [path] => /
    [domain] => .domainok.com
    [secure] =>
    [httpOnly] => 1
)

Array
(
    [name] => PHPSESSID
    [value] => fgas2ttl3eku0ns6eth8c39r97
    [time] => 0
    [path] => /
    [domain] => .domainok.com
    [secure] =>
    [httpOnly] => 1
)

Actual behaviour:

Options:

$optionsBug = [
	"cookiePath" => "/",
	"cookieDomain" => ".domainbug.com",
];

Output:

$ php index.php
Array
(
    [name] => PHPSESSID
    [value] => n441tegtvgc2u87j8jkmkvt4o1
    [time] => 0
    [path] => /
    [domain] => .domainbug.com
    [secure] =>
    [httpOnly] => 1
)

Array
(
    [name] => PHPSESSID
    [value] => 3k8ercr7pe42ln86l9kn2t6836
    [time] => 0
    [path] => /
    [domain] =>
    [secure] =>
    [httpOnly] => 1
)

Forum: http://forum.nette.org/en/21268-nette-framework-2-2-4-released#p145829

This bug shows self in Nette 2.2.4 as:

PHP Notice: Undefined variable: file in .../src/Http/Response.php:299
PHP Notice: Undefined variable: line in .../src/Http/Response.php:299
PHP Deprecated: Function æĄly°Š() is deprecated in Unknown:0
PHP Deprecated: Function (null)::H‰l$čL‰d$šH‰ĶL‰l$ųH‰\$ąH�ģ8H…ÉA‰üI‰õt!H‹ŪźM() is deprecated in .../cache/latte/xxxx-f58ecdceb29baf29d552a02bd25a2224.php:72
PHP Deprecated: Function (null)() is deprecated in ....
Parse Error
Fatal Error Allowed memory size of 134217728 bytes exhausted (tried to allocate 909587003 bytes)

This bug occures on mine website when I migrated to Nette v2.2.4. It is hard to reproduce, I did it by refreshing page and one from 10-50 requests failed by different error message.

I replaced nette/nette: 2.2.4 in composer by all single packages and I started to downgrade packages one by one. After reverting nette/http to v2.2.1, bugs stopped to showself. After that I bisected commits and I found 0914fe9 as buggy. After that, I upgraded back to nette/nette v2.2.4 and starts to reverting single commit changes. When this was reverted, everithing is OK.

I know it sounds like nonsence. And when PHP bug is about memory corruption this is maybe only final crash. Let's wait for forum feedback.

PHP 5.4.16 as a apache2handler, Debian

Hi, I have just noticed in my app, that there appears PHP Notice in class Nette\Http\FileUpload on line 160. It is because there is missing use clause on previous line. Sadly I am not familiar with contributing to Nette, so I cannot send PR right now.

I am using Nette 2.4 (Nette\Http is according composer.json also version 2.4)

My functional tests are currently failing because of

  [PHPUnit_Framework_Exception] Possible problem: you are starting session while already having some data in output buffer. This may not work if the outputted data grows. Try starting the session earlier.

Setting autoStart to true didn't help either because it's ignored in CLI mode. Why is it ignored and how should I fix my tests then?

https://travis-ci.org/Arachne/Forms/builds/125263850

Tried it on localhost as well with the same result.

What is the reason for this line of code https://github.com/nette/http/blob/master/src/Http/Url.php#L363 ? What is the main difference between http and https and other schemas?

Expected behavior: generate link with user and password for every schema if user and password are set.

If the attacker finds a hole, where he can provide an URL that is passed directly to Http\Response::redirect(), then he's able to create XSS.

for example

/some/page?redirect=%0Ajavascript:alert(/xss/)

Which executes to

public function actionPage($redirect)
{
    $this->redirectUri($redirect);
}

The browser won't redirect, because it's not a valid url, but HTML will be printed

Location: %0Ajavascript:alert(/xss/)


<h1>Redirect</h1>

<p><a href="
javascript:alert(/xss/)">Please click here to continue</a>.</p>

This happened to us in our mailing click-through counter.

Also relevant http://forum.nette.org/cs/21315-parsovani-absolutni-url-routerem-aplikace#p146150

I think that the term canonical URL is usually used in SEO context. However low-level Url class can not know which form is the SEO canonical one. Therefore I suggest to rename canonicalize() to less misleading normalize(). Do you feel the same?

- possible bug report

- nette version: v: 2.4 (20170221), php version: 7.0.8, apache version: ? 2.4.23 ?

Description

Routing works fine on localhost.
Routing is broken after copying app to public web hosting (wedos.cz).
Some other people are reporting similar problems on wedos user forum.
I traced the problem to file /http/src/http/RequestFactory.php, line 95.
$_SERVER['SCRIPT_NAME'] contains invalid value on public web hosting (it contained filesystem path instead of url) and so was not shortened, which then propagated to urlScript.php, Routing.php, etc..., so all routing was broken and no match was found for any processed requests.
After discovering that, it was easy to google problem description (https://www.google.com/search?q=htaccess+SCRIPT_NAME+problem). And workaround solution.
Problem disappeared after inserting line $path = $_SERVER["REQUEST_URI"]; between lines 100 and 101. Application now seems to be working correcly on both localhost and public hosting. I have not installed command line interpreter or composer, so I cannot run unit tests and check that something else is not broken. Only have downloaded sandbox release and running it on xampp.

Nice framework guys, particularly the error prettifier (I didn't get much further yet). I can't understand how you managed to make such nice thing in php. I hate php. Here are some of the reasons: https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/ :-)

Steps To Reproduce

Not sure.
I'm new to php, nette and apache, so it took me several days to find out the cause of this problem. Mainly because i was suspecting rules in multiple url-rewriting .htaccess files and was meddling with them. Also it is happening only on public hosting and I cannot check or replicate its configuration.

zdravím

• bug report? no
• feature request? yes

PHP 5.6 introduced new function session_abort. Implementation is trivial, we only need to decide whether to call the method abort (matches the original function name) or rollback (imho more descriptive).

• bug report? yes
• feature request? no
• version: 2.4

Description

Not sure if this is really a bug.

I use nette/http standalone and when I want to instantiate UserStorage it ends with Fatal Error: Interface 'Nette\Security\IUserStorage' not found.

There is no dependency on nette/security in composer.json. But this is only class, that needs this dependency. So maybe it can be enough to add "nette/security": "Allows use UserStorage" to "suggest" section to composer?

Steps To Reproduce

1. create empty project
2. require nette/http
3. $userStorage = new UserStorage()

When we want to you own service for http request, subclass of Nette\Http\Request is required

// contex is instance of Nette\DI\Container
$context->removeService("http.request");
// OwnRequest implements Nette\Http\IRequest
$context->addService("http.request", new OwnRequest());

it throws exception

Nette\InvalidArgumentException: Service 'http.request' must be instance of Nette\Http\Request, OwnRequest given

I think same problem is with all services from Nette\Http package. Only interface can be requested, not class.

Maybe problem is with DI container itself, when removeService is called, I wan't to remove all information about particular service, it seems that in DI container still remains some information about removed service, what isn't desirable.

Nette\HttpRequestFactory should support RFC 7239 (Forwarded HTTP Extension). It may be wise to wait for servers to implement it first.

Request post attribute is currently filled with data from $_POST array. Would it be possible to set it like this
Nette\Utils\Json::decode(file_get_contents('php://input'), true); when method is POST and Content-type is application/json?

This is in my config.neon

session:
    saveHandler: memcached
    savePath: 'localhost:22121'

and I repetedly get this problem...

memcached config is ok, and this test code:

$m = new Memcached();
$m->addServer('localhost', 22121);

$m->set('int', 99);

sets key correctly

Dumping memcache contents
  Number of buckets: 1
  Number of items  : 1
Dumping bucket 1 - 1 total items
add int 1 1479504298 2
99

I'm using php 7.0.12
and memcached 1.4.15

also basic php code:

ini_set('session.save_handler', 'memcached');
ini_set('session.save_path', 'localhost:11211');
session_start();
$_SESSION['BLA'] = 'heeey';

saved key to memcached without any issue and it's possible to read it

also if I set config directly to php.ini it works and session is correctly saved to memcached, but on other request session is lost (I think session id got changed, session data is in memcached)

Hi,
we're using Nette\Security\User::setExpiration with $whenBrowserIsClosed = TRUE, that calls Nette\Security\UserStorage::setExpiration with flag BROWSER_CLOSED, but I think, that this functionality was removed in pullrequest #103 and then Nette\Security\User::setExpiration function with parametr $whenBrowserIsClosed and flag BROWSER_CLOSED for Nette\Security\UserStorage::setExpiration is unusable and should be removed too.