From 19738e65138f2c83e73e0e8eedf259cd12fdf1c7 Mon Sep 17 00:00:00 2001 From: Enrico Tagliavini Date: Sat, 12 Jul 2014 23:26:45 +0200 Subject: adding X-Forwarded-Proto support in is_ssl() This commit adds support for X-Forwarded-Proto in case dokuwiki runs behind a reverse (SSL) proxy, but the connection between the proxy and the web server running dokuwki is plain HTTP. If an authenticated user is accidentaly dropped to HTTP from HTTPS the securecookie setting should be honored and the redirection when saving or canceling a page edit should point to the correct protocol. This happens every time a user hits cancel after editing a page, and likely even after saving. If the webserver doesn't enforce HTTPS the coockie might be sent in clear. --- inc/init.php | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/inc/init.php b/inc/init.php index 4ff239787..d825b5250 100644 --- a/inc/init.php +++ b/inc/init.php @@ -456,10 +456,6 @@ function getBaseURL($abs=null){ $port = ''; } - if(!$port && isset($_SERVER['SERVER_PORT'])) { - $port = $_SERVER['SERVER_PORT']; - } - if(is_null($port)){ $port = ''; } @@ -490,6 +486,14 @@ function getBaseURL($abs=null){ * @returns bool true when SSL is active */ function is_ssl(){ + // check if we are behind a reverse proxy + if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) { + if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') { + return true; + } else { + return false; + } + } if (!isset($_SERVER['HTTPS']) || preg_match('/^(|off|false|disabled)$/i',$_SERVER['HTTPS'])){ return false; -- cgit v1.2.3 From c42f789c87b115a747a7436d81e7aee886d0ac88 Mon Sep 17 00:00:00 2001 From: Enrico Tagliavini Date: Thu, 30 Jan 2014 15:42:09 +0000 Subject: Adding unit test for is_ssl() this should test the correctness of the return value of is_ssl() function based on various combinations of PHP environment variables --- _test/tests/inc/init_checkssl.test.php | 81 ++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 _test/tests/inc/init_checkssl.test.php diff --git a/_test/tests/inc/init_checkssl.test.php b/_test/tests/inc/init_checkssl.test.php new file mode 100644 index 000000000..c57d3c37e --- /dev/null +++ b/_test/tests/inc/init_checkssl.test.php @@ -0,0 +1,81 @@ +assertEquals(is_ssl(), true); + } + + /** + * Running behind a plain HTTP proxy, HTTP between server and proxy + * HTTPS not set + * HTTP_X_FORWARDED_PROTO set to http + */ + function test2() { + $_SERVER['HTTP_X_FORWARDED_PROTO'] = 'http'; + + $this->assertEquals(is_ssl(), false); + } + + /** + * Running behind an SSL proxy, HTTP between server and proxy + * HTTPS set to off, + * HTTP_X_FORWARDED_PROTO set to https + */ + function test3() { + $_SERVER['HTTP_X_FORWARDED_PROTO'] = 'https'; + $_SERVER['HTTPS'] = 'off'; + + $this->assertEquals(is_ssl(), true); + } + + /** + * Not running behind a proxy, HTTPS server + * HTTPS set to on, + * HTTP_X_FORWARDED_PROTO not set + */ + function test4() { + $_SERVER['HTTPS'] = 'on'; + + $this->assertEquals(is_ssl(), true); + } + + /** + * Not running behind a proxy, plain HTTP server + * HTTPS not set + * HTTP_X_FORWARDED_PROTO not set + */ + function test5() { + $this->assertEquals(is_ssl(), false); + } + + /** + * Not running behind a proxy, plain HTTP server + * HTTPS set to off + * HTTP_X_FORWARDED_PROTO not set + */ + function test6() { + $_SERVER['HTTPS'] = 'off'; + $this->assertEquals(is_ssl(), false); + } + + /** + * Running behind an SSL proxy, SSL between proxy and HTTP server + * HTTPS set to on, + * HTTP_X_FORWARDED_PROTO set to https + */ + function test7() { + $_SERVER['HTTP_X_FORWARDED_PROTO'] = 'https'; + $_SERVER['HTTPS'] = 'on'; + + $this->assertEquals(is_ssl(), true); + } +} -- cgit v1.2.3