[TASK] Properly check for HTTPS 50/55750/6
authorAlexander Opitz <opitz.alexander@googlemail.com>
Fri, 16 Feb 2018 09:08:07 +0000 (10:08 +0100)
committerChristian Kuhn <lolli@schwarzbu.ch>
Fri, 16 Feb 2018 19:02:25 +0000 (20:02 +0100)
Take into account empty and "off" values for the HTTPS request variable
to support ISAPI with IIS.

Resolves: #81837
Releases: master, 8.7
Change-Id: I5937c506d3e36a2009a8da6e66724728654b4001
Reviewed-on: https://review.typo3.org/55750
Reviewed-by: Mathias Schreiber <mathias.schreiber@typo3.com>
Tested-by: Mathias Schreiber <mathias.schreiber@typo3.com>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
typo3/sysext/core/Classes/Http/NormalizedParams.php
typo3/sysext/core/Classes/Utility/GeneralUtility.php
typo3/sysext/core/Tests/Unit/Http/NormalizedParamsTest.php

index 63af1d8..6731d67 100644 (file)
@@ -588,10 +588,12 @@ class NormalizedParams
         if ($configuredProxySSL === '*') {
             $configuredProxySSL = trim($typo3ConfVars['SYS']['reverseProxyIP'] ?? '');
         }
+        $httpsParam = (string)($serverParams['HTTPS'] ?? '');
         if (GeneralUtility::cmpIP(trim($serverParams['REMOTE_ADDR'] ?? ''), $configuredProxySSL)
             || ($serverParams['SSL_SESSION_ID'] ?? '')
-            || strtolower($serverParams['HTTPS'] ?? '') === 'on'
-            || (string)($serverParams['HTTPS'] ?? '') === '1'
+            // https://secure.php.net/manual/en/reserved.variables.server.php
+            // "Set to a non-empty value if the script was queried through the HTTPS protocol."
+            || ($httpsParam !== '' && $httpsParam !== 'off' && $httpsParam !== '0')
         ) {
             $isHttps = true;
         }
index fc14c97..5e9a257 100644 (file)
@@ -2777,7 +2777,10 @@ class GeneralUtility
                 if (self::cmpIP($_SERVER['REMOTE_ADDR'], $proxySSL)) {
                     $retVal = true;
                 } else {
-                    $retVal = $_SERVER['SSL_SESSION_ID'] || strtolower($_SERVER['HTTPS']) === 'on' || (string)$_SERVER['HTTPS'] === '1';
+                    // https://secure.php.net/manual/en/reserved.variables.server.php
+                    // "Set to a non-empty value if the script was queried through the HTTPS protocol."
+                    $retVal = $_SERVER['SSL_SESSION_ID']
+                        || (!empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off');
                 }
                 break;
             case '_ARRAY':
index 72e6e22..0e03547 100644 (file)
@@ -190,6 +190,32 @@ class NormalizedParamsTest extends UnitTestCase
                 [],
                 true,
             ],
+            'true if HTTPS is int(1)"' => [
+                [
+                    'HTTP_HOST' => 'www.domain.com',
+                    'HTTPS' => 1,
+                ],
+                [],
+                true,
+            ],
+            'true if HTTPS is bool(true)' => [
+                [
+                    'HTTP_HOST' => 'www.domain.com',
+                    'HTTPS' => true,
+                ],
+                [],
+                true,
+            ],
+            // https://secure.php.net/manual/en/reserved.variables.server.php
+            // "Set to a non-empty value if the script was queried through the HTTPS protocol."
+            'true if HTTPS is "somethingrandom"' => [
+                [
+                    'HTTP_HOST' => 'www.domain.com',
+                    'HTTPS' => 'somethingrandom',
+                ],
+                [],
+                true,
+            ],
             'false if HTTPS is "0"' => [
                 [
                     'HTTP_HOST' => 'www.domain.com',
@@ -198,6 +224,22 @@ class NormalizedParamsTest extends UnitTestCase
                 [],
                 false,
             ],
+            'false if HTTPS is int(0)' => [
+                [
+                    'HTTP_HOST' => 'www.domain.com',
+                    'HTTPS' => 0,
+                ],
+                [],
+                false,
+            ],
+            'false if HTTPS is float(0)' => [
+                [
+                    'HTTP_HOST' => 'www.domain.com',
+                    'HTTPS' => 0.0,
+                ],
+                [],
+                false,
+            ],
             'false if HTTPS is not on' => [
                 [
                     'HTTP_HOST' => 'www.domain.com',
@@ -214,6 +256,35 @@ class NormalizedParamsTest extends UnitTestCase
                 [],
                 false,
             ],
+            'false if HTTPS is null' => [
+                [
+                    'HTTP_HOST' => 'www.domain.com',
+                    'HTTPS' => null,
+                ],
+                [],
+                false,
+            ],
+            'false if HTTPS is bool(false)' => [
+                [
+                    'HTTP_HOST' => 'www.domain.com',
+                    'HTTPS' => false,
+                ],
+                [],
+                false,
+            ],
+            // Per PHP documententation 'HTTPS' is:
+            //   "Set to a non-empty value if the script
+            //   was queried through the HTTPS protocol."
+            // So theoretically an empty array means HTTPS is off.
+            // We do not support that. Therefore this test is disabled.
+            //'false if HTTPS is an empty Array' => [
+            //    [
+            //        'HTTP_HOST' => 'www.domain.com',
+            //        'HTTPS' => [],
+            //    ],
+            //    [],
+            //    false,
+            //],
             'true if ssl proxy IP matches REMOTE_ADDR' => [
                 [
                     'HTTP_HOST' => 'www.domain.com',