From 6a6d90ce03f53ea36fd4507a1a0f240ed62659b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C3=ABl=20Arnauts?= <michael.arnauts@destiny.be>
Date: Wed, 9 Aug 2017 09:21:02 +0200
Subject: [PATCH 1/4] Add handleOptions to Cors filter so OPTIONS requests are
 handled for the preflight check.

---
 framework/CHANGELOG.md     | 1 +
 framework/filters/Cors.php | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
index d491797..5a11048 100644
--- a/framework/CHANGELOG.md
+++ b/framework/CHANGELOG.md
@@ -6,6 +6,7 @@ Yii Framework 2 Change Log
 
 - New #14151: Added `AttributesBehavior` that assigns values specified to one or multiple attributes of an AR object when certain events happen (bscheshirwork)
 - Bug #6526: Fixed `yii\db\Command::batchInsert()` casting of double values correctly independent of the locale (cebe, leammas)
+- Chg #14618: Handle OPTIONS request in `yii\filter\Cors` so the preflight check isn't passed trough Authentication filters. (michaelarnauts)
 - Bug #14542: Ensured only ASCII characters are in CSRF cookie value since binary data causes issues with ModSecurity and some browsers (samdark)
 - Enh #14022: `yii\web\UrlManager::setBaseUrl()` now supports aliases (dmirogin)
 - Bug #14471: `ContentNegotiator` will always set one of the configured server response formats even if the client does not accept any of them (PowerGamer1)
diff --git a/framework/filters/Cors.php b/framework/filters/Cors.php
index ce7b25e..7ff5913 100644
--- a/framework/filters/Cors.php
+++ b/framework/filters/Cors.php
@@ -106,6 +106,12 @@ class Cors extends ActionFilter
         $responseCorsHeaders = $this->prepareHeaders($requestCorsHeaders);
         $this->addCorsHeaders($this->response, $responseCorsHeaders);
 
+        if ($this->request->isOptions && $this->request->headers->has('Access-Control-Request-Method')) {
+            // it is CORS preflight request, respond with 200 OK without further processing
+            $this->response->setStatusCode(200);
+            return false;
+        }
+
         return true;
     }
 

From 33c9b7423c80fbc9440aa094422c831182ce9864 Mon Sep 17 00:00:00 2001
From: leandrogehlen <leandrogehlen@gmail.com>
Date: Wed, 27 Dec 2017 14:01:44 -0200
Subject: [PATCH 2/4] Added cors preflight tests

---
 tests/framework/filters/CorsTest.php | 45 ++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 tests/framework/filters/CorsTest.php

diff --git a/tests/framework/filters/CorsTest.php b/tests/framework/filters/CorsTest.php
new file mode 100644
index 0000000..5fb1f94
--- /dev/null
+++ b/tests/framework/filters/CorsTest.php
@@ -0,0 +1,45 @@
+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yiiunit\framework\filters;
+
+use Yii;
+use yii\base\Action;
+use yii\filters\Cors;
+use yii\web\Controller;
+use yii\web\Request;
+use yiiunit\TestCase;
+
+/**
+ * @group filters
+ */
+class CorsTest extends TestCase
+{
+
+    public function testPreflight()
+    {
+        $this->mockWebApplication();
+        $controller = new Controller('id', Yii::$app);
+        $action = new Action('test', $controller);
+        $request = new Request();
+
+        $cors = new Cors();
+        $cors->request = $request;
+
+        $_SERVER['REQUEST_METHOD'] = 'OPTIONS';
+        $request->headers->set('Access-Control-Request-Method', 'GET');
+        $this->assertFalse($cors->beforeAction($action));
+        $this->assertEquals(200, $cors->response->getStatusCode());
+
+        $_SERVER['REQUEST_METHOD'] = 'GET';
+        $request->headers->set('Access-Control-Request-Method', 'GET');
+        $this->assertTrue($cors->beforeAction($action));
+
+        $request->headers->remove('Access-Control-Request-Method');
+        $this->assertTrue($cors->beforeAction($action));
+    }
+}

From f3704e814f87286b6632453d445a39549323fbc7 Mon Sep 17 00:00:00 2001
From: Leandro Gehlen <leandrogehlen@gmail.com>
Date: Wed, 27 Dec 2017 15:39:31 -0200
Subject: [PATCH 3/4] Fixes changelog

---
 framework/CHANGELOG.md | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
index 9664f78..4cb357e 100644
--- a/framework/CHANGELOG.md
+++ b/framework/CHANGELOG.md
@@ -52,6 +52,7 @@ Yii Framework 2 Change Log
 - Enh #15360: Refactored `BaseConsole::updateProgress()` (developeruz)
 - Enh #15415: Added transaction/retry support for `yii\db\Command` (sergeymakinen)
 - Enh: Added check to `yii\base\Model::formName()` to prevent source path disclosure when form is represented by an anonymous class (silverfire)
+- Chg #15420: Handle OPTIONS request in `yii\filter\Cors` so the preflight check isn't passed trough authentication filters (michaelarnauts, leandrogehlen)
 
 
 2.0.13.1 November 14, 2017
@@ -69,13 +70,6 @@ Yii Framework 2 Change Log
 - Bug #6226: Fix fatal symlink error during assets publishing in multi threaded environment (dynasource)
 - Bug #6526: Fixed `yii\db\Command::batchInsert()` casting of double values correctly independent of the locale (cebe, leammas)
 - Bug #6588: Fixed changing array keys after validation of multiple files in `yii\validators\FileValidator` (developeruz)
-- Chg #14618: Handle OPTIONS request in `yii\filter\Cors` so the preflight check isn't passed trough Authentication filters. (michaelarnauts)
-- Bug #14542: Ensured only ASCII characters are in CSRF cookie value since binary data causes issues with ModSecurity and some browsers (samdark)
-- Enh #14022: `yii\web\UrlManager::setBaseUrl()` now supports aliases (dmirogin)
-- Bug #14471: `ContentNegotiator` will always set one of the configured server response formats even if the client does not accept any of them (PowerGamer1)
-- Bug #14525: Fixed 2.0.12 regression of loading of global fixtures trough `yii fixture/load` (michaelarnauts)
-- Bug #14523: Added `yii\web\MultipartFormDataParser::$force` option allowing to enforce parsing even on 'POST' request (klimov-paul)
-- Bug #14533: Fixed `yii\validators\ExistValidator` and `yii\validators\UniqueValidator` throw exception in case they are set for `yii\db\ActiveRecord` with `$targetClass` pointing to NOSQL ActiveRecord (klimov-paul)
 - Bug #14449: Fix PHP 7.2 compatibility bugs and add explicit closure support in `yii\base\Application` (dynasource)
 - Bug #7890: Allow `migrate/mark` to mark history at the point of the base migration (cebe)
 - Bug #11242: Fixed excess escaping in `yii\db\Command::batchInsert()` (silverfire)

From bcdbf61e96965c881eed57000cdb8ce32f5dbe05 Mon Sep 17 00:00:00 2001
From: Leandro Gehlen <leandrogehlen@gmail.com>
Date: Wed, 27 Dec 2017 15:42:07 -0200
Subject: [PATCH 4/4] Removed duplicated entry

---
 framework/CHANGELOG.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
index 4cb357e..ee09ad3 100644
--- a/framework/CHANGELOG.md
+++ b/framework/CHANGELOG.md
@@ -70,7 +70,6 @@ Yii Framework 2 Change Log
 - Bug #6226: Fix fatal symlink error during assets publishing in multi threaded environment (dynasource)
 - Bug #6526: Fixed `yii\db\Command::batchInsert()` casting of double values correctly independent of the locale (cebe, leammas)
 - Bug #6588: Fixed changing array keys after validation of multiple files in `yii\validators\FileValidator` (developeruz)
-- Bug #14449: Fix PHP 7.2 compatibility bugs and add explicit closure support in `yii\base\Application` (dynasource)
 - Bug #7890: Allow `migrate/mark` to mark history at the point of the base migration (cebe)
 - Bug #11242: Fixed excess escaping in `yii\db\Command::batchInsert()` (silverfire)
 - Bug #11825: User can login by cookie only once when `autoRenewCookie` is set to false (shirase, silverfire)