Make test for HTTPS protocol compliant with PHP documentation

dregad · dregad · commit 0af2d629510c · 2012-06-07T00:32:19.000+02:00
Prior to this, the protocol was considered to be HTTPS when isset($_SERVER['HTTPS']) is true, while PHP doc[1] states that HTTPS is "Set to a non-empty value if the script was queried through the HTTPS protocol" so the test should be !empty($_SERVER['HTTPS']) instead. This was causing issues with nginx 1.x with php5fastcgi as $_SERVER['HTTPS'] is set but empty, thus MantisBT redirects all http requests to https. The protocol check has been moved to a new function in http_api.php which is then called wherever it is needed. Note that there are several occurences of isset($_SERVER['HTTPS']) in the nusoap library; these have not been modified. Fixes #14333 [1] http://php.net/manual/en/reserved.variables.server.php
diff --git a/config_defaults_inc.php b/config_defaults_inc.php
@@ -84,7 +84,7 @@
 		$t_protocol = 'http';
 		if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) ) {
 			$t_protocol= $_SERVER['HTTP_X_FORWARDED_PROTO'];
-		} else if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
+		} else if ( !empty( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
 			$t_protocol = 'https';
 		}
 
diff --git a/core/gpc_api.php b/core/gpc_api.php
@@ -20,15 +20,19 @@
  * @copyright Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
  * @copyright Copyright (C) 2002 - 2012  MantisBT Team - mantisbt-dev@lists.sourceforge.net
  * @link http://www.mantisbt.org
+ *
+ * @uses http_api.php
  */
 
+require_once( 'http_api.php' );
+
 /**
  * Determines (once-off) whether the client is accessing this script via a
  * secure connection. If they are, we want to use the Secure cookie flag to
  * prevent the cookie from being transmitted to other domains.
  * @global bool $g_cookie_secure_flag_enabled
  */
-$g_cookie_secure_flag_enabled = isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' );
+$g_cookie_secure_flag_enabled = http_is_protocol_https();
 
 /**
  * Determines (once-off) whether the version of PHP executing this script has
diff --git a/core/http_api.php b/core/http_api.php
@@ -22,6 +22,14 @@
  * @link http://www.mantisbt.org
  */
 
+/**
+ * Checks to see if script was queried through the HTTPS protocol
+ * @return boolean True if protocol is HTTPS
+ */
+function http_is_protocol_https() {
+	return !empty( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' );
+}
+
 /**
  * Check to see if the client is using Microsoft Internet Explorer so we can
  * enable quirks and hacky non-standards-compliant workarounds.
@@ -128,7 +136,7 @@ function http_security_headers() {
 		header( 'X-Frame-Options: DENY' );
 		$t_avatar_img_allow = '';
 		if ( config_get_global( 'show_avatar' ) ) {
-			if ( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
+			if ( http_is_protocol_https() ) {
 				$t_avatar_img_allow = "; img-src 'self' https://secure.gravatar.com:443";
 			} else {
 				$t_avatar_img_allow = "; img-src 'self' http://www.gravatar.com:80";
diff --git a/core/user_api.php b/core/user_api.php
@@ -20,15 +20,12 @@
  * @subpackage UserAPI
  * @copyright Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
  * @copyright Copyright (C) 2002 - 2012  MantisBT Team - mantisbt-dev@lists.sourceforge.net
+ *
+ * @uses email_api.php
+ * @uses ldap_api.php
  */
 
-/**
- * requires email_api
- */
 require_once( 'email_api.php' );
-/**
- * requires ldap_api
- */
 require_once( 'ldap_api.php' );
 
 # ===================================
@@ -803,15 +800,10 @@ function user_get_avatar( $p_user_id, $p_size = 80 ) {
 	} else {
 		$t_size = $p_size;
 
-		$t_use_ssl = false;
-		if( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
-			$t_use_ssl = true;
-		}
-
-		if( !$t_use_ssl ) {
-			$t_gravatar_domain = 'http://www.gravatar.com/';
-		} else {
+		if( http_is_protocol_https() ) {
 			$t_gravatar_domain = 'https://secure.gravatar.com/';
+		} else {
+			$t_gravatar_domain = 'http://www.gravatar.com/';
 		}
 
 		$t_avatar_url = $t_gravatar_domain . 'avatar/' . md5( $t_email ) . '?d=identicon&r=G&s=' . $t_size;
diff --git a/file_download.php b/file_download.php
@@ -119,7 +119,7 @@
 	# attached files via HTTPS, we disable the "Pragma: no-cache"
 	# command when IE is used over HTTPS.
 	global $g_allow_file_cache;
-	if ( ( isset( $_SERVER["HTTPS"] ) && ( "on" == utf8_strtolower( $_SERVER["HTTPS"] ) ) ) && is_browser_internet_explorer() ) {
+	if ( http_is_protocol_https() && is_browser_internet_explorer() ) {
 		# Suppress "Pragma: no-cache" header.
 	} else {
 		if ( !isset( $g_allow_file_cache ) ) {
@@ -143,7 +143,7 @@
 	$finfo = finfo_get_if_available();
 
 	$t_content_type = $v_file_type;
-	
+
 	$t_content_type_override = file_get_content_type_override ( $t_filename );
 
 	# dump file content to the connection.
@@ -159,7 +159,7 @@
 						$t_content_type = $t_file_info_type;
 					}
 				}
-				
+
 				if ( $t_content_type_override ) {
 					$t_content_type = $t_content_type_override;
 				}
@@ -184,7 +184,7 @@
 					$t_content_type = $t_file_info_type;
 				}
 			}
-			
+
 			if ( $t_content_type_override ) {
 				$t_content_type = $t_content_type_override;
 			}
@@ -200,7 +200,7 @@
 					$t_content_type = $t_file_info_type;
 				}
 			}
-			
+
 			if ( $t_content_type_override ) {
 				$t_content_type = $t_content_type_override;
 			}

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@`
`84`	`84`	`$t_protocol = 'http';`
`85`	`85`	`if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) ) {`
`86`	`86`	`$t_protocol= $_SERVER['HTTP_X_FORWARDED_PROTO'];`
`87`		`- } else if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {`
	`87`	`+ } else if ( !empty( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {`
`88`	`88`	`$t_protocol = 'https';`
`89`	`89`	`}`
`90`	`90`
Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,7 @@`
`119`	`119`	`# attached files via HTTPS, we disable the "Pragma: no-cache"`
`120`	`120`	`# command when IE is used over HTTPS.`
`121`	`121`	`global $g_allow_file_cache;`
`122`		`- if ( ( isset( $_SERVER["HTTPS"] ) && ( "on" == utf8_strtolower( $_SERVER["HTTPS"] ) ) ) && is_browser_internet_explorer() ) {`
	`122`	`+ if ( http_is_protocol_https() && is_browser_internet_explorer() ) {`
`123`	`123`	`# Suppress "Pragma: no-cache" header.`
`124`	`124`	`} else {`
`125`	`125`	`if ( !isset( $g_allow_file_cache ) ) {`
`@@ -143,7 +143,7 @@`
`143`	`143`	`$finfo = finfo_get_if_available();`
`144`	`144`
`145`	`145`	`$t_content_type = $v_file_type;`
`146`		`-`
	`146`	`+`
`147`	`147`	`$t_content_type_override = file_get_content_type_override ( $t_filename );`
`148`	`148`
`149`	`149`	`# dump file content to the connection.`
`@@ -159,7 +159,7 @@`
`159`	`159`	`$t_content_type = $t_file_info_type;`
`160`	`160`	`}`
`161`	`161`	`}`
`162`		`-`
	`162`	`+`
`163`	`163`	`if ( $t_content_type_override ) {`
`164`	`164`	`$t_content_type = $t_content_type_override;`
`165`	`165`	`}`
`@@ -184,7 +184,7 @@`
`184`	`184`	`$t_content_type = $t_file_info_type;`
`185`	`185`	`}`
`186`	`186`	`}`
`187`		`-`
	`187`	`+`
`188`	`188`	`if ( $t_content_type_override ) {`
`189`	`189`	`$t_content_type = $t_content_type_override;`
`190`	`190`	`}`
`@@ -200,7 +200,7 @@`
`200`	`200`	`$t_content_type = $t_file_info_type;`
`201`	`201`	`}`
`202`	`202`	`}`
`203`		`-`
	`203`	`+`
`204`	`204`	`if ( $t_content_type_override ) {`
`205`	`205`	`$t_content_type = $t_content_type_override;`
`206`	`206`	`}`