[ticket/15085] Add HTTPS requirement for HTTP authentication on feeds

PHPBB-15085
2025-10-12 07:24:31 +02:00 · 2025-10-03 22:28:06 +02:00
parent 3dbc1b28b5
commit 752ce67da0
2 changed files with 47 additions and 0 deletions
--- a/phpBB/phpbb/feed/event/http_auth_subscriber.php
+++ b/phpBB/phpbb/feed/event/http_auth_subscriber.php
@@ -72,6 +72,12 @@ class http_auth_subscriber implements EventSubscriberInterface
 			return;
 		}

+		// Only allow HTTP authentication in secure context (HTTPS)
+		if (!$request->isSecure())
+		{
+			return;
+		}
+
 		// Check if HTTP authentication is enabled
 		if (!$this->config['feed_http_auth'])
 		{
--- a/tests/feed/http_auth_subscriber_test.php
+++ b/tests/feed/http_auth_subscriber_test.php
@@ -95,6 +95,39 @@ class http_auth_subscriber_test extends \phpbb_test_case
 		$this->subscriber->on_kernel_request($event);
 	}

+	public function test_insecure_connection_skipped()
+	{
+		$request = $this->getMockBuilder('\Symfony\Component\HttpFoundation\Request')
+			->disableOriginalConstructor()
+			->getMock();
+
+		$request->attributes = $this->getMockBuilder('\Symfony\Component\HttpFoundation\ParameterBag')
+			->disableOriginalConstructor()
+			->getMock();
+
+		$request->attributes->expects($this->once())
+			->method('get')
+			->with('_route')
+			->willReturn('phpbb_feed_overall');
+
+		$request->expects($this->once())
+			->method('isSecure')
+			->willReturn(false);
+
+		$event = $this->getMockBuilder('\Symfony\Component\HttpKernel\Event\GetResponseEvent')
+			->disableOriginalConstructor()
+			->getMock();
+
+		$event->expects($this->once())
+			->method('getRequest')
+			->willReturn($request);
+
+		$event->expects($this->never())
+			->method('setResponse');
+
+		$this->subscriber->on_kernel_request($event);
+	}
+
 	public function test_http_auth_disabled()
 	{
 		$this->config['feed_http_auth'] = 0;
@@ -112,6 +145,10 @@ class http_auth_subscriber_test extends \phpbb_test_case
 			->with('_route')
 			->willReturn('phpbb_feed_overall');

+		$request->expects($this->once())
+			->method('isSecure')
+			->willReturn(true);
+
 		$event = $this->getMockBuilder('\Symfony\Component\HttpKernel\Event\GetResponseEvent')
 			->disableOriginalConstructor()
 			->getMock();
@@ -143,6 +180,10 @@ class http_auth_subscriber_test extends \phpbb_test_case
 			->with('_route')
 			->willReturn('phpbb_feed_overall');

+		$request->expects($this->once())
+			->method('isSecure')
+			->willReturn(true);
+
 		$event = $this->getMockBuilder('\Symfony\Component\HttpKernel\Event\GetResponseEvent')
 			->disableOriginalConstructor()
 			->getMock();