aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTristan Darricau <tristan.darricau@sensiolabs.com>2016-03-27 12:56:03 +0200
committerTristan Darricau <tristan.darricau@sensiolabs.com>2016-03-27 12:56:03 +0200
commit5442a2596718ea2ce81dfa31c44549f62311cd47 (patch)
tree43d3ba6aba4298e155b2926d5133fb213d3ef846
parent50737da051bc949b71aa7516dda8bebbfe61c73c (diff)
parentf22bd4e511697bedb76c1909148753b3581adb1f (diff)
downloadforums-5442a2596718ea2ce81dfa31c44549f62311cd47.tar
forums-5442a2596718ea2ce81dfa31c44549f62311cd47.tar.gz
forums-5442a2596718ea2ce81dfa31c44549f62311cd47.tar.bz2
forums-5442a2596718ea2ce81dfa31c44549f62311cd47.tar.xz
forums-5442a2596718ea2ce81dfa31c44549f62311cd47.zip
Merge pull request #4182 from marc1706/ticket/14481
[ticket/14481] Respect HTTP_X_FORWARDED headers for implying https * marc1706/ticket/14481: [ticket/14481] Add tests for x_forwarded_proto header [ticket/14481] Use port 443 if https is specified in x-forwarded-proto [ticket/14481] Respect HTTP_X_FORWARDED headers for implying https
-rw-r--r--phpBB/common.php8
-rw-r--r--phpBB/includes/functions.php6
-rw-r--r--phpBB/phpbb/auth/provider/oauth/oauth.php8
-rw-r--r--phpBB/phpbb/request/request.php4
-rw-r--r--tests/request/request_test.php106
5 files changed, 126 insertions, 6 deletions
diff --git a/phpBB/common.php b/phpBB/common.php
index 0782bd7321..71d501e926 100644
--- a/phpBB/common.php
+++ b/phpBB/common.php
@@ -38,7 +38,13 @@ if (!defined('PHPBB_INSTALLED'))
// available as used by the redirect function
$server_name = (!empty($_SERVER['HTTP_HOST'])) ? strtolower($_SERVER['HTTP_HOST']) : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME'));
$server_port = (!empty($_SERVER['SERVER_PORT'])) ? (int) $_SERVER['SERVER_PORT'] : (int) getenv('SERVER_PORT');
- $secure = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 1 : 0;
+ $secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 1 : 0;
+
+ if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https')
+ {
+ $secure = 1;
+ $server_port = 443;
+ }
$script_name = (!empty($_SERVER['PHP_SELF'])) ? $_SERVER['PHP_SELF'] : getenv('PHP_SELF');
if (!$script_name)
diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index 8e3f62230a..b225effacc 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -2234,6 +2234,12 @@ function generate_board_url($without_script_path = false)
$server_name = $user->host;
$server_port = $request->server('SERVER_PORT', 0);
+ $forwarded_proto = $request->server('HTTP_X_FORWARDED_PROTO');
+
+ if (!empty($forwarded_proto) && $forwarded_proto === 'https')
+ {
+ $server_port = 443;
+ }
// Forcing server vars is the only way to specify/override the protocol
if ($config['force_server_vars'] || !$server_name)
diff --git a/phpBB/phpbb/auth/provider/oauth/oauth.php b/phpBB/phpbb/auth/provider/oauth/oauth.php
index be0fbf5831..9f6345fbba 100644
--- a/phpBB/phpbb/auth/provider/oauth/oauth.php
+++ b/phpBB/phpbb/auth/provider/oauth/oauth.php
@@ -271,7 +271,13 @@ class oauth extends \phpbb\auth\provider\base
}
$uri_factory = new \OAuth\Common\Http\Uri\UriFactory();
- $current_uri = $uri_factory->createFromSuperGlobalArray($this->request->get_super_global(\phpbb\request\request_interface::SERVER));
+ $super_globals = $this->request->get_super_global(\phpbb\request\request_interface::SERVER);
+ if (!empty($super_globals['HTTP_X_FORWARDED_PROTO']) && $super_globals['HTTP_X_FORWARDED_PROTO'] === 'https')
+ {
+ $super_globals['HTTPS'] = 'on';
+ $super_globals['SERVER_PORT'] = 443;
+ }
+ $current_uri = $uri_factory->createFromSuperGlobalArray($super_globals);
$current_uri->setQuery($query);
$this->current_uri = $current_uri;
diff --git a/phpBB/phpbb/request/request.php b/phpBB/phpbb/request/request.php
index 56ce3999ed..4cac6fbaea 100644
--- a/phpBB/phpbb/request/request.php
+++ b/phpBB/phpbb/request/request.php
@@ -325,7 +325,9 @@ class request implements \phpbb\request\request_interface
*/
public function is_secure()
{
- return $this->server('HTTPS') == 'on';
+ $https = $this->server('HTTPS');
+ $https = $this->server('HTTP_X_FORWARDED_PROTO') === 'https' ? 'on' : $https;
+ return !empty($https) && $https !== 'off';
}
/**
diff --git a/tests/request/request_test.php b/tests/request/request_test.php
index 131abe6aac..ebaea1f9ef 100644
--- a/tests/request/request_test.php
+++ b/tests/request/request_test.php
@@ -13,7 +13,10 @@
class phpbb_request_test extends phpbb_test_case
{
+ /** @var \phpbb\request\type_cast_helper_interface */
private $type_cast_helper;
+
+ /** @var \phpbb\request\request */
private $request;
protected function setUp()
@@ -143,15 +146,112 @@ class phpbb_request_test extends phpbb_test_case
$this->assertTrue($this->request->is_ajax());
}
- public function test_is_secure()
+ public function data_is_secure()
+ {
+ return array(
+ array(
+ array(
+ 'HTTPS' => 'on',
+ ),
+ true,
+ ),
+ array(
+ array(
+ 'HTTPS' => '1',
+ ),
+ true,
+ ),
+ array(
+ array(
+ 'HTTPS' => 'yes',
+ ),
+ true,
+ ),
+ array(
+ array(
+ 'HTTPS' => 1,
+ ),
+ true,
+ ),
+ array(
+ array(
+ 'HTTPS' => 'off',
+ ),
+ false,
+ ),
+ array(
+ array(
+ 'HTTPS' => '0',
+ ),
+ false,
+ ),
+ array(
+ array(
+ 'HTTPS' => 0,
+ ),
+ false,
+ ),
+ array(
+ array(
+ 'HTTPS' => '',
+ ),
+ false,
+ ),
+ array(
+ array(
+ 'HTTPS' => 'off',
+ 'HTTP_X_FORWARDED_PROTO' => 'https',
+ ),
+ true,
+ ),
+ array(
+ array(
+ 'HTTPS' => 'on',
+ 'HTTP_X_FORWARDED_PROTO' => 'http',
+ ),
+ true,
+ ),
+ array(
+ array(
+ 'HTTPS' => 'off',
+ 'HTTP_X_FORWARDED_PROTO' => 'http',
+ ),
+ false,
+ ),
+ array(
+ array(
+ 'HTTP_X_FORWARDED_PROTO' => 'http',
+ ),
+ false,
+ ),
+ array(
+ array(
+ 'HTTP_X_FORWARDED_PROTO' => 'https',
+ ),
+ true,
+ ),
+ array(
+ array(
+ 'HTTPS' => 'on',
+ 'HTTP_X_FORWARDED_PROTO' => 'http',
+ ),
+ true,
+ ),
+ );
+ }
+
+ /**
+ * @dataProvider data_is_secure
+ */
+ public function test_is_secure($server_data, $expected)
{
$this->assertFalse($this->request->is_secure());
$this->request->enable_super_globals();
- $_SERVER['HTTPS'] = 'on';
+ $_SERVER = $server_data;
$this->request = new \phpbb\request\request($this->type_cast_helper);
- $this->assertTrue($this->request->is_secure());
+ $this->assertSame($expected, $this->request->is_secure());
}
public function test_variable_names()