ZF-3161: ZF MVC is not compatible with apache + http protocol proxy requests
Not sure if other web servers are affected, but I'm assuming so. I've tested both apache 1.3 and 2.2 with php 4.4 and 5.2 respectively (php as a module of course). To reproduce ... Go here:
Now, setup your browser to proxy through 220.127.116.11. In Firefox go to Tools > Options -> Advanced Tab -> Network Tab -> Connection Settings Button. Select manual proxy configuration, enter the IP in the http proxy field and use 80 for the port. Click OK, and click OK.
Now refresh and you'll see:
Error! An error occurred with this request: Invalid controller specified (http:).
The reason is, when http is used with a proxy request apache turns the REQUEST_URI server var into a fully qualified URI. In this case, instead of the request uri being /docs/quickstart it becomes http://framework.zend.com/docs/quickstart and hence why the error is saying http: is an invalid controller, because when request uri is split on / http: is the first param in the request.
This all may not mean much to you, but for development and monitoring we use this all the time. Furthermore, although its very rare, some people do actually use proxies setup in their browsers.
So what to do? I'm not entirely sure I can make a sound recommendation, but just browsing through Zend_Controller_Request_Http it seems that we are fully counting on and trusting web servers. setRequestUri() simply takes a server var and sets it up as the request uri, no validation what so ever. A fairly safe assumption I'd say heh, but in this case there is an exception. So I'm thinking, why not take the logic that happens in the constructor and move it down into setRequestUri()? In other words, use the power of Zend_Uri and make sure only the "path" part of a uri is ever set as the request uri member?
In the mean time I'm just replacing this:
$requestUri = preg_replace( '/^https?:\/\/' . $_SERVER['HTTP_HOST'] . '/i', '', $_SERVER['REQUEST_URI'] );```
FYI, this might show up in the zf general mailing list too. I'm having all sorts of trouble with my subscription and I don't think my emails ever did get through, but maybe they will ...