[BUGFIX] Felogin: Ignore scheme in isInCurrentDomain 70/17170/10
authorJigal van Hemert <jigal@xs4all.nl>
Fri, 14 Dec 2012 21:30:18 +0000 (22:30 +0100)
committerBenjamin Mack <benni@typo3.org>
Sat, 31 Jan 2015 23:26:13 +0000 (00:26 +0100)
While determining if the referrer is in the current domain the
scheme part should be ignored. This makes it possible to have the
login page using https and the rest http.

Change-Id: Ic411e3b18d22b96ae5e5a955d88d6270a05116a7
Resolves: #32618
Releases: master, 6.2
Reviewed-on: http://review.typo3.org/17170
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php
typo3/sysext/felogin/Tests/Unit/Controller/FrontendLoginControllerTest.php

index de99e2c..6943211 100644 (file)
@@ -15,6 +15,7 @@ namespace TYPO3\CMS\Felogin\Controller;
  */
 
 use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Core\Utility\StringUtility;
 
 /**
  * Plugin 'Website User Login' for the 'felogin' extension.
@@ -946,14 +947,17 @@ class FrontendLoginController extends \TYPO3\CMS\Frontend\Plugin\AbstractPlugin
        }
 
        /**
-        * Determines whether the URL is on the current host
-        * and belongs to the current TYPO3 installation.
+        * Determines whether the URL is on the current host and belongs to the
+        * current TYPO3 installation. The scheme part is ignored in the comparison.
         *
         * @param string $url URL to be checked
         * @return bool Whether the URL belongs to the current TYPO3 installation
         */
        protected function isInCurrentDomain($url) {
-               return GeneralUtility::isOnCurrentHost($url) && GeneralUtility::isFirstPartOfStr($url, GeneralUtility::getIndpEnv('TYPO3_SITE_URL'));
+               $urlWithoutSchema = preg_replace('#^https?://#', '', $url);
+               $siteUrlWithoutSchema = preg_replace('#^https?://#', '', GeneralUtility::getIndpEnv('TYPO3_SITE_URL'));
+               return StringUtility::beginsWith($urlWithoutSchema . '/', GeneralUtility::getIndpEnv('HTTP_HOST') . '/')
+                       && StringUtility::beginsWith($urlWithoutSchema, $siteUrlWithoutSchema);
        }
 
        /**
index afef70d..d3f3940 100644 (file)
@@ -373,4 +373,79 @@ class FrontendLoginControllerTest extends \TYPO3\CMS\Core\Tests\UnitTestCase {
                $this->assertSame($expected, $this->accessibleFixture->_call('getPreserveGetVars'));
        }
 
+
+       /**************************************************
+        * Tests concerning isInLocalDomain
+        **************************************************/
+
+       /**
+        * Dataprovider for isInCurrentDomainIgnoresScheme
+        *
+        * @return array
+        */
+       public function isInCurrentDomainIgnoresSchemeDataProvider() {
+               return array(
+                       'url https, current host http' => array(
+                               'example.com', // HTTP_HOST
+                               '0', // HTTPS
+                               'https://example.com/foo.html' // URL
+                       ),
+                       'url http, current host https' => array(
+                               'example.com',
+                               '1',
+                               'http://example.com/foo.html'
+                       ),
+                       'url https, current host https' => array(
+                               'example.com',
+                               '1',
+                               'https://example.com/foo.html'
+                       ),
+                       'url http, current host http' => array(
+                               'example.com',
+                               '0',
+                               'http://example.com/foo.html'
+                       )
+               );
+       }
+
+       /**
+        * @test
+        * @dataProvider isInCurrentDomainIgnoresSchemeDataProvider
+        * @param string $host $_SERVER['HTTP_HOST']
+        * @param string $https $_SERVER['HTTPS']
+        * @param string $url The url to test
+        */
+       public function isInCurrentDomainIgnoresScheme($host, $https, $url) {
+               $_SERVER['HTTP_HOST'] = $host;
+               $_SERVER['HTTPS'] = $https;
+               $this->assertTrue($this->accessibleFixture->_call('isInCurrentDomain', $url));
+       }
+
+       /**
+        * @return array
+        */
+       public function isInCurrentDomainReturnsFalseIfDomainsAreDifferentDataProvider() {
+               return array(
+                       'simple difference' => array(
+                               'example.com', // HTTP_HOST
+                               'http://typo3.org/foo.html' // URL
+                       ),
+                       'subdomain different' => array(
+                               'example.com',
+                               'http://foo.example.com/bar.html'
+                       )
+               );
+       }
+
+       /**
+        * @test
+        * @dataProvider isInCurrentDomainReturnsFalseIfDomainsAreDifferentDataProvider
+        * @param string $host $_SERVER['HTTP_HOST']
+        * @param string $url The url to test
+        */
+       public function isInCurrentDomainReturnsFalseIfDomainsAreDifferent($host, $url) {
+               $_SERVER['HTTP_HOST'] = $host;
+               $this->assertFalse($this->accessibleFixture->_call('isInCurrentDomain', $url));
+       }
+
 }