Merge branch '3.1.x' into 3.2.x

* 3.1.x: [ticket/14481] Add tests for x_forwarded_proto header [ticket/14481] Use port 443 if https is specified in x-forwarded-proto [ticket/14481] Respect HTTP_X_FORWARDED headers for implying https
2025-01-19 07:08:09 +01:00 · 2016-03-27 12:56:03 +02:00 · 2016-03-27 12:56:03 +02:00 · 386d31ec63
commit 386d31ec63
parent 7d5a853b21 5442a25967
5 changed files with 126 additions and 6 deletions
--- a/phpBB/common.php
+++ b/phpBB/common.php
@ -43,7 +43,13 @@ if (!defined('PHPBB_INSTALLED'))
 	// available as used by the redirect function
 	$server_name = (!empty($_SERVER['HTTP_HOST'])) ? strtolower($_SERVER['HTTP_HOST']) : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME'));
 	$server_port = (!empty($_SERVER['SERVER_PORT'])) ? (int) $_SERVER['SERVER_PORT'] : (int) getenv('SERVER_PORT');
-	$secure = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 1 : 0;
+	$secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 1 : 0;
+
+	if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https')
+	{
+		$secure = 1;
+		$server_port = 443;
+	}

 	$script_name = (!empty($_SERVER['PHP_SELF'])) ? $_SERVER['PHP_SELF'] : getenv('PHP_SELF');
 	if (!$script_name)
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@ -1648,6 +1648,12 @@ function generate_board_url($without_script_path = false)

 	$server_name = $user->host;
 	$server_port = $request->server('SERVER_PORT', 0);
+	$forwarded_proto = $request->server('HTTP_X_FORWARDED_PROTO');
+
+	if (!empty($forwarded_proto) && $forwarded_proto === 'https')
+	{
+		$server_port = 443;
+	}

 	// Forcing server vars is the only way to specify/override the protocol
 	if ($config['force_server_vars'] || !$server_name)
--- a/phpBB/phpbb/auth/provider/oauth/oauth.php
+++ b/phpBB/phpbb/auth/provider/oauth/oauth.php
@ -280,7 +280,13 @@ class oauth extends \phpbb\auth\provider\base
 		}

 		$uri_factory = new \OAuth\Common\Http\Uri\UriFactory();
-		$current_uri = $uri_factory->createFromSuperGlobalArray($this->request->get_super_global(\phpbb\request\request_interface::SERVER));
+		$super_globals = $this->request->get_super_global(\phpbb\request\request_interface::SERVER);
+		if (!empty($super_globals['HTTP_X_FORWARDED_PROTO']) && $super_globals['HTTP_X_FORWARDED_PROTO'] === 'https')
+		{
+			$super_globals['HTTPS'] = 'on';
+			$super_globals['SERVER_PORT'] = 443;
+		}
+		$current_uri = $uri_factory->createFromSuperGlobalArray($super_globals);
 		$current_uri->setQuery($query);

 		$this->current_uri = $current_uri;
--- a/phpBB/phpbb/request/request.php
+++ b/phpBB/phpbb/request/request.php
@ -325,7 +325,9 @@ class request implements \phpbb\request\request_interface
 	*/
 	public function is_secure()
 	{
-		return $this->server('HTTPS') == 'on';
+		$https = $this->server('HTTPS');
+		$https = $this->server('HTTP_X_FORWARDED_PROTO') === 'https' ? 'on' : $https;
+		return !empty($https) && $https !== 'off';
 	}

 	/**
--- a/tests/request/request_test.php
+++ b/tests/request/request_test.php
@ -13,7 +13,10 @@

 class phpbb_request_test extends phpbb_test_case
 {
+	/** @var \phpbb\request\type_cast_helper_interface */
 	private $type_cast_helper;
+
+	/** @var \phpbb\request\request */
 	private $request;

 	protected function setUp()
@ -143,15 +146,112 @@ class phpbb_request_test extends phpbb_test_case
 		$this->assertTrue($this->request->is_ajax());
 	}

-	public function test_is_secure()
+	public function data_is_secure()
+	{
+		return array(
+			array(
+				array(
+					'HTTPS' => 'on',
+				),
+				true,
+			),
+			array(
+				array(
+					'HTTPS' => '1',
+				),
+				true,
+			),
+			array(
+				array(
+					'HTTPS' => 'yes',
+				),
+				true,
+			),
+			array(
+				array(
+					'HTTPS' => 1,
+				),
+				true,
+			),
+			array(
+				array(
+					'HTTPS' => 'off',
+				),
+				false,
+			),
+			array(
+				array(
+					'HTTPS' => '0',
+				),
+				false,
+			),
+			array(
+				array(
+					'HTTPS' => 0,
+				),
+				false,
+			),
+			array(
+				array(
+					'HTTPS' => '',
+				),
+				false,
+			),
+			array(
+				array(
+					'HTTPS' => 'off',
+					'HTTP_X_FORWARDED_PROTO' => 'https',
+				),
+				true,
+			),
+			array(
+				array(
+					'HTTPS' => 'on',
+					'HTTP_X_FORWARDED_PROTO' => 'http',
+				),
+				true,
+			),
+			array(
+				array(
+					'HTTPS' => 'off',
+					'HTTP_X_FORWARDED_PROTO' => 'http',
+				),
+				false,
+			),
+			array(
+				array(
+					'HTTP_X_FORWARDED_PROTO' => 'http',
+				),
+				false,
+			),
+			array(
+				array(
+					'HTTP_X_FORWARDED_PROTO' => 'https',
+				),
+				true,
+			),
+			array(
+				array(
+					'HTTPS' => 'on',
+					'HTTP_X_FORWARDED_PROTO' => 'http',
+				),
+				true,
+			),
+		);
+	}
+
+	/**
+	 * @dataProvider data_is_secure
+	 */
+	public function test_is_secure($server_data, $expected)
 	{
 		$this->assertFalse($this->request->is_secure());

 		$this->request->enable_super_globals();
-		$_SERVER['HTTPS'] = 'on';
+		$_SERVER = $server_data;
 		$this->request = new \phpbb\request\request($this->type_cast_helper);

-		$this->assertTrue($this->request->is_secure());
+		$this->assertSame($expected, $this->request->is_secure());
 	}

 	public function test_variable_names()