From 1d47e6c4cf27cd192220f56a42a87543d0e32fdf Mon Sep 17 00:00:00 2001
From: Julien Loizelet <julienloizelet@okaeli.com>
Date: Fri, 18 Oct 2024 09:20:19 +0900
Subject: [PATCH] feat(file_get_contents): Remove problematic headers for
 AppSec request

---
 CHANGELOG.md                                  | 11 +++++++++
 src/Client/RequestHandler/FileGetContents.php | 23 ++++++++++++-------
 src/Constants.php                             |  2 +-
 tests/Unit/CurlTest.php                       |  6 +++++
 tests/Unit/FileGetContentsTest.php            |  1 +
 5 files changed, 34 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 78c69be..6b64f39 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,17 @@ As far as possible, we try to adhere to [Symfony guidelines](https://symfony.com
 
 ---
 
+## [2.3.2](https://github.com/crowdsecurity/php-common/releases/tag/v2.3.2) - 2024-10-18
+[_Compare with previous release_](https://github.com/crowdsecurity/php-common/compare/v2.3.1...v2.3.2)
+
+
+### Fixed
+
+- Remove `Content-Length` header during `file_get_contents` call for AppSec request
+- Remove `Host` header during `file_get_contents` call for AppSec request only
+
+---
+
 ## [2.3.1](https://github.com/crowdsecurity/php-common/releases/tag/v2.3.1) - 2024-10-16
 [_Compare with previous release_](https://github.com/crowdsecurity/php-common/compare/v2.3.0...v2.3.1)
 
diff --git a/src/Client/RequestHandler/FileGetContents.php b/src/Client/RequestHandler/FileGetContents.php
index c3d021a..b1c4d91 100644
--- a/src/Client/RequestHandler/FileGetContents.php
+++ b/src/Client/RequestHandler/FileGetContents.php
@@ -126,19 +126,26 @@ protected function getResponseHttpCode(array $parts): int
     private function createContextConfig(Request $request): array
     {
         $headers = $request->getValidatedHeaders();
-        /**
-         * It's not recommended to set the Host header when using file_get_contents (with follow_location).
-         *
-         * @see https://www.php.net/manual/en/context.http.php#context.http.header
-         * As it was causing issues with PHP 7.2, we are removing it.
-         * For AppSec requests, original host is sent in the X-Crowdsec-Appsec-Host header.
-         */
-        unset($headers['Host']);
         $isAppSec = $request instanceof AppSecRequest;
         $rawBody = '';
         if ($isAppSec) {
             /** @var AppSecRequest $request */
             $rawBody = $request->getRawBody();
+            /**
+             * It's not recommended to set the Host header when using file_get_contents (with follow_location).
+             *
+             * @see https://www.php.net/manual/en/context.http.php#context.http.header
+             * As it was causing issues with PHP 7.2, we are removing it.
+             * In all cases, for AppSec requests, the originating host is sent in the X-Crowdsec-Appsec-Host header.
+             */
+            unset($headers['Host']);
+            /**
+             * As we are sending the original request Content-Length's header,
+             * it differs from content-length that should be to sent to AppSec.
+             * We are removing it because file_get_contents does not automatically calculate this header,
+             * unlike cURL, and keeping it would result in a 400 error (bad request) from AppSec.
+             */
+            unset($headers['Content-Length']);
         }
         $header = $this->convertHeadersToString($headers);
         $method = $request->getMethod();
diff --git a/src/Constants.php b/src/Constants.php
index cba5209..57cda8d 100644
--- a/src/Constants.php
+++ b/src/Constants.php
@@ -131,7 +131,7 @@ class Constants
     /**
      * @var string The current version of this library
      */
-    public const VERSION = 'v2.3.1';
+    public const VERSION = 'v2.3.2';
     /**
      * @var string The version regex
      */
diff --git a/tests/Unit/CurlTest.php b/tests/Unit/CurlTest.php
index 73e1323..ff7a7f9 100644
--- a/tests/Unit/CurlTest.php
+++ b/tests/Unit/CurlTest.php
@@ -306,6 +306,8 @@ public function testOptionsForAppSec()
             'X-Crowdsec-Appsec-Method' => 'test-value',
             'X-Crowdsec-Appsec-Uri' => 'test-value',
             'X-Crowdsec-Appsec-Api-Key' => 'test-value',
+            'Host' => 'test-value.com',
+            'Content-Length' => '123',
         ];
         $rawBody = 'this is raw body';
         $configs = $this->tlsConfigs;
@@ -329,6 +331,8 @@ public function testOptionsForAppSec()
                 'X-Crowdsec-Appsec-Method:test-value',
                 'X-Crowdsec-Appsec-Uri:test-value',
                 'X-Crowdsec-Appsec-Api-Key:test-value',
+                'Host:test-value.com',
+                'Content-Length:123',
             ],
             \CURLOPT_POST => true,
             \CURLOPT_POSTFIELDS => 'this is raw body',
@@ -369,6 +373,8 @@ public function testOptionsForAppSec()
                 'X-Crowdsec-Appsec-Method:test-value',
                 'X-Crowdsec-Appsec-Uri:test-value',
                 'X-Crowdsec-Appsec-Api-Key:test-value',
+                'Host:test-value.com',
+                'Content-Length:123',
                 'User-Agent:' . TestConstants::USER_AGENT_SUFFIX,
             ],
             \CURLOPT_POST => false,
diff --git a/tests/Unit/FileGetContentsTest.php b/tests/Unit/FileGetContentsTest.php
index 515151d..41c516b 100644
--- a/tests/Unit/FileGetContentsTest.php
+++ b/tests/Unit/FileGetContentsTest.php
@@ -173,6 +173,7 @@ public function testContextConfigForAppSec()
             'X-Crowdsec-Appsec-Uri' => 'test-value',
             'X-Crowdsec-Appsec-Api-Key' => 'test-value',
             'Host' => 'test-value-should-be-removed',
+            'Content-Length' => 'test-value-should-be-removed',
             'Custom-Header' => 'test-value-should-be-kept',
         ];
         $rawBody = 'This is a raw body';