public function execute(Request $request, array $routeConfig) { // only relevant if the request comes from a browser if (false === mb_strpos($request->getHeader('Accept'), 'text/html')) { return; } // these methods do not require CSRF protection as they are not // supposed to have side effects on the server $safeMethods = ['GET', 'HEAD', 'OPTIONS']; if (!in_array($request->getMethod(), $safeMethods)) { $referrer = $request->getHeader('HTTP_REFERER'); $rootUrl = $request->getUrl()->getRootUrl(); if (null === $referrer) { throw new BadRequestException('HTTP_REFERER header missing'); } if (0 !== mb_strpos($referrer, $rootUrl)) { throw new BadRequestException('HTTP_REFERER has unexpected value'); } } }
public function getDocument(Path $path, Request $request, TokenInfo $tokenInfo = null) { if (null !== $tokenInfo) { if ($path->getUserId() !== $tokenInfo->getUserId()) { throw new ForbiddenException('path does not match authorized subject'); } if (!$this->hasReadScope($tokenInfo->getScope(), $path->getModuleName())) { throw new ForbiddenException('path does not match authorized scope'); } } $documentVersion = $this->remoteStorage->getVersion($path); if (null === $documentVersion) { throw new NotFoundException(sprintf('document "%s" not found', $path->getPath())); } $requestedVersion = $this->stripQuotes($request->getHeader('If-None-Match')); $documentContentType = $this->remoteStorage->getContentType($path); if (null !== $requestedVersion) { if (in_array($documentVersion, $requestedVersion)) { $response = new Response(304, $documentContentType); $response->setHeader('ETag', '"' . $documentVersion . '"'); return $response; } } $rsr = new Response(200, $documentContentType); $rsr->setHeader('ETag', '"' . $documentVersion . '"'); if ('development' !== $this->options['server_mode']) { $rsr->setHeader('Accept-Ranges', 'bytes'); } if ('GET' === $request->getMethod()) { if ('development' === $this->options['server_mode']) { // use body $rsr->setBody(file_get_contents($this->remoteStorage->getDocument($path, $requestedVersion))); } else { // use X-SendFile $rsr->setFile($this->remoteStorage->getDocument($path, $requestedVersion)); } } return $rsr; }
private function runService(Request $request) { // support method override when _METHOD is set in a form POST if ('POST' === $request->getMethod()) { $methodOverride = $request->getPostParameter('_METHOD'); if (null !== $methodOverride) { $request->setMethod($methodOverride); } } foreach ($this->routes as $route) { if (false !== ($availableRouteCallbackParameters = $route->isMatch($request->getMethod(), $request->getUrl()->getPathInfo()))) { return $this->executeCallback($request, $route, $availableRouteCallbackParameters); } } // figure out all supported methods by all routes $supportedMethods = []; foreach ($this->routes as $route) { $routeMethods = $route->getMethods(); foreach ($routeMethods as $method) { if (!in_array($method, $supportedMethods)) { $supportedMethods[] = $method; } } } // requested method supported, document is just not available if (in_array($request->getMethod(), $supportedMethods)) { throw new NotFoundException('url not found', $request->getUrl()->getRoot() . mb_substr($request->getUrl()->getPathInfo(), 1)); } // requested method net supported... throw new MethodNotAllowedException($request->getMethod(), $supportedMethods); }