Merge pull request #3674 from ss23/api-https-fix

API Fix HTTPS proxy header detection (Same as #3152)
2024-10-22 14:05:37 +02:00 · 2014-11-25 08:23:44 +13:00 · 2014-11-25 08:23:44 +13:00 · 28760e051d
commit 28760e051d
parent 1661213e5b b3407abe4b
3 changed files with 32 additions and 13 deletions
--- a/control/Director.php
+++ b/control/Director.php
@ -414,11 +414,22 @@ class Director implements TemplateGlobalProvider {
 	 * @return String
 	 */
 	public static function protocol() {
-		if(isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])&&strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])=='https') {
+		if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https') {
-			return "https://";
+			// Convention for (non-standard) proxy signaling a HTTPS forward,
 			// see https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
 			return 'https://';
 		} else if (isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) == 'https') {
 			// Less conventional proxy header
 			return 'https://';
 		} else if (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) == 'on') {
 			// Microsoft proxy convention: https://support.microsoft.com/?kbID=307347
 			return 'https://';
 		} else if((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) {
 			return 'https://';
 		} else if (isset($_SERVER['SSL'])) {
 			return 'https://';
 		}
-		return (isset($_SERVER['SSL']) || (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) 
+		return 'http://';
 			? 'https://' : 'http://';
 	}
 	/**
--- a/control/HTTP.php
+++ b/control/HTTP.php
@ -343,7 +343,7 @@ class HTTP {
 			// By also using and etag that includes both the modification date and all the varies 
 			// values which we also check against we can catch this and not return a 304
 			$etagParts = array(self::$modification_date, serialize($_COOKIE));
-			if (isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])) $etagParts[] = $_SERVER['HTTP_X_FORWARDED_PROTOCOL'];
+			$etagParts[] = Director::protocol();
 			if (isset($_SERVER['HTTP_USER_AGENT'])) $etagParts[] = $_SERVER['HTTP_USER_AGENT'];
 			if (isset($_SERVER['HTTP_ACCEPT'])) $etagParts[] = $_SERVER['HTTP_ACCEPT'];
--- a/core/startup/ParameterConfirmationToken.php
+++ b/core/startup/ParameterConfirmationToken.php
@ -76,16 +76,24 @@ class ParameterConfirmationToken {
 	protected function currentAbsoluteURL() {
 		global $url;
-		// Are we http or https?
+		if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https') {
-		$proto = 'http';
+			// Convention for (non-standard) proxy signaling a HTTPS forward,
-
+			// see https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
-		if(isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])) {
+			$proto = 'https';
-			if(strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) == 'https') $proto = 'https';
+		} else if (isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) == 'https') {
 			// Less conventional proxy header
 			$proto = 'https';
 		} else if (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) == 'on') {
 			// Microsoft proxy convention: https://support.microsoft.com/?kbID=307347
 			$proto = 'https';
 		} else if((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) {
 			$proto = 'https';
 		} else if (isset($_SERVER['SSL'])) {
 			$proto = 'https';
 		} else {
 			$proto = 'http';
 		}
 		if((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) $proto = 'https';
 		if(isset($_SERVER['SSL'])) $proto = 'https';
 		$parts = array_filter(array(
 			// What's our host
 			$_SERVER['HTTP_HOST'],