Switch to headers_requiring_opt_in approach

maxschmeling · maxschmeling · commit acbee4550af2 · 2024-12-11T13:08:39.000-06:00
diff --git a/packages/playground/php-cors-proxy/cors-proxy-functions.php b/packages/playground/php-cors-proxy/cors-proxy-functions.php
@@ -300,38 +300,41 @@ private static function ipv6InRange($ip, $start, $end)
 }
 
 
-function filter_headers_strings($php_headers, $allowed_headers, $remove_headers) {
-    $allowed_headers = $allowed_headers ?? [];
+function filter_headers_strings($php_headers, $headers_requiring_opt_in, $remove_headers) {
+    $headers_requiring_opt_in = $headers_requiring_opt_in ?? [];
     $remove_headers = $remove_headers ?? [];
 
     $allowed_request_headers_header = strtolower('X-Cors-Proxy-Allowed-Request-Headers');
 
-    // Add any additional allowed headers from X-Cors-Proxy-Allowed-Request-Headers
-    if (isset($php_headers[$allowed_request_headers_header])) {
-        $allowed_request_headers = $php_headers[$allowed_request_headers_header];
+    $lowercased_php_headers = array_change_key_case($php_headers, CASE_LOWER);
 
-        $additional_headers = array_map(
+    // Get explicitly allowed headers from X-Cors-Proxy-Allowed-Request-Headers
+    $explicitly_allowed_headers = [];
+    if (isset($lowercased_php_headers[$allowed_request_headers_header])) {
+        $explicitly_allowed_headers = array_map(
             'trim',
-            explode(',', $allowed_request_headers)
+            explode(',', $lowercased_php_headers[$allowed_request_headers_header])
         );
-        $allowed_headers = array_merge($allowed_headers, $additional_headers);
     }
+    $explicitly_allowed_headers = array_map('strtolower', $explicitly_allowed_headers);
 
-    $allowed_headers = array_map('strtolower', $allowed_headers);
-
-    // Only keep headers that are in the allowed list
-    $php_headers = array_filter($php_headers, function($header) use ($allowed_headers) {
-        $header_name = strtolower(explode(':', $header)[0]);
-        return in_array($header_name, $allowed_headers);
-    });
-
+    $headers_requiring_opt_in = array_map('strtolower', $headers_requiring_opt_in);
     $remove_headers = array_map('strtolower', $remove_headers);
 
-    // Remove strictly disallowed headers
+    // Filter headers
     return array_filter(
         $php_headers,
-        function($key) use ($remove_headers) {
-            return !in_array(strtolower($key), $remove_headers);
+        function ($key) use ($headers_requiring_opt_in, $remove_headers, $explicitly_allowed_headers) {
+            $lower_key = strtolower($key);
+            // Remove if in remove_headers list
+            if (in_array($lower_key, $remove_headers)) {
+                return false;
+            }
+            // Remove if requires opt-in but not explicitly allowed
+            if (in_array($lower_key, $headers_requiring_opt_in) && !in_array($lower_key, $explicitly_allowed_headers)) {
+                return false;
+            }
+            return true;
         },
         ARRAY_FILTER_USE_KEY
     );
diff --git a/packages/playground/php-cors-proxy/cors-proxy.php b/packages/playground/php-cors-proxy/cors-proxy.php
@@ -101,15 +101,9 @@
     "$host:443:$resolvedIp"
 ]);
 
-$default_allowed_headers = [
-    'Accept',
-    'Accept-Language',
-    'Content-Language',
-    'Content-Type',
-    'DNT',
-    'Origin',
-    'Range',
-    'User-Agent'
+// Pass all incoming headers except cookies and authorization
+$headers_requiring_opt_in = [
+    'Authorization'
 ];
 $strictly_disallowed_headers = [
     'Cookie',
@@ -118,7 +112,7 @@
 $curlHeaders = kv_headers_to_curl_format(
     filter_headers_strings(
         getallheaders(),
-        $default_allowed_headers,
+        $headers_requiring_opt_in,
         $strictly_disallowed_headers
     )
 );
diff --git a/packages/playground/php-cors-proxy/tests/ProxyFunctionsTests.php b/packages/playground/php-cors-proxy/tests/ProxyFunctionsTests.php
@@ -147,4 +147,58 @@ public function testUrlValidateAndResolveWithTargetSelf()
             'http://cors.playground.wordpress.net/cors-proxy.php?http://cors.playground.wordpress.net'
         );
     }
-}
+
+    public function testFilterHeadersStrings()
+    {
+        $original_headers = [
+            'Accept' => 'application/json',
+            'Content-Type' => 'application/json',
+            'Cookie' => 'test=1',
+            'Host' => 'example.com',
+        ];
+
+        $headers_requiring_opt_in = [
+            'Authorization',
+        ];
+
+        $strictly_disallowed_headers = [
+            'Cookie',
+            'Host',
+        ];
+
+        $this->assertEquals([
+            'Accept' => 'application/json',
+            'Content-Type' => 'application/json',
+        ], filter_headers_strings($original_headers, $headers_requiring_opt_in, $strictly_disallowed_headers));
+    }
+
+    public function testFilterHeaderStringsWithAdditionalAllowedHeaders()
+    {
+        $original_headers = [
+            'Accept' => 'application/json',
+            'Content-Type' => 'application/json',
+            'Cookie' => 'test=1',
+            'Host' => 'example.com',
+            'Authorization' => 'Bearer 1234567890',
+            'X-Authorization' => 'Bearer 1234567890',
+            'X-Cors-Proxy-Allowed-Request-Headers' => 'Authorization',
+        ];
+
+        $headers_requiring_opt_in = [
+            'Authorization',
+        ];
+
+        $strictly_disallowed_headers = [
+            'Cookie',
+            'Host',
+        ];
+
+        $this->assertEquals([
+            'Accept' => 'application/json',
+            'Content-Type' => 'application/json',
+            'Authorization' => 'Bearer 1234567890',
+            'X-Authorization' => 'Bearer 1234567890',
+            'X-Cors-Proxy-Allowed-Request-Headers' => 'Authorization',
+        ], filter_headers_strings($original_headers, $headers_requiring_opt_in, $strictly_disallowed_headers));
+    }
+}
