Make test for HTTPS protocol compliant with PHP documentation

Prior to this, the protocol was considered to be HTTPS when isset($_SERVER['HTTPS']) is true, while PHP doc[1] states that HTTPS is "Set to a non-empty value if the script was queried through the HTTPS protocol" so the test should be !empty($_SERVER['HTTPS']) instead. This was causing issues with nginx 1.x with php5fastcgi as $_SERVER['HTTPS'] is set but empty, thus MantisBT redirects all http requests to https. The protocol check has been moved to a new function in http_api.php which is then called wherever it is needed. Note that there are several occurences of isset($_SERVER['HTTPS']) in the nusoap library; these have not been modified. Fixes #14333 [1] http://php.net/manual/en/reserved.variables.server.php
mantisbt · Jun 6, 2012 · f39ad8c · f39ad8c
1 parent f3420be
commit f39ad8c
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 16 deletions.
diff --git a/config_defaults_inc.php b/config_defaults_inc.php
@@ -98,7 +98,7 @@
 	$t_protocol = 'http';
 	if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) ) {
 		$t_protocol= $_SERVER['HTTP_X_FORWARDED_PROTO'];
-	} else if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
+	} else if ( !empty( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
 		$t_protocol = 'https';
 	}
 

diff --git a/core/gpc_api.php b/core/gpc_api.php
@@ -29,19 +29,21 @@
  * @uses config_api.php
  * @uses constant_inc.php
  * @uses error_api.php
+ * @uses http_api.php
  */
 
 require_api( 'config_api.php' );
 require_api( 'constant_inc.php' );
 require_api( 'error_api.php' );
+require_api( 'http_api.php' );
 
 /**
  * Determines (once-off) whether the client is accessing this script via a
  * secure connection. If they are, we want to use the Secure cookie flag to
  * prevent the cookie from being transmitted to other domains.
  * @global bool $g_cookie_secure_flag_enabled
  */
-$g_cookie_secure_flag_enabled = isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' );
+$g_cookie_secure_flag_enabled = http_is_protocol_https();
 
 /**
  * Determines (once-off) whether the version of PHP executing this script has

diff --git a/core/http_api.php b/core/http_api.php
@@ -29,6 +29,14 @@
 
 require_api( 'config_api.php' );
 
+/**
+ * Checks to see if script was queried through the HTTPS protocol
+ * @return boolean True if protocol is HTTPS
+ */
+function http_is_protocol_https() {
+	return !empty( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' );
+}
+
 /**
  * Check to see if the client is using Microsoft Internet Explorer so we can
  * enable quirks and hacky non-standards-compliant workarounds.
@@ -143,14 +151,14 @@ function http_security_headers() {
 		header( 'X-Frame-Options: DENY' );
 		$t_avatar_img_allow = '';
 		if ( config_get_global( 'show_avatar' ) ) {
-			if ( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
+			if ( http_is_protocol_https() ) {
 				$t_avatar_img_allow = "; img-src 'self' https://secure.gravatar.com:443";
 			} else {
 				$t_avatar_img_allow = "; img-src 'self' http://www.gravatar.com:80";
 			}
 		}
 		header( "X-Content-Security-Policy: allow 'self';$t_avatar_img_allow; frame-ancestors 'none'" );
-		if ( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
+		if ( http_is_protocol_https() ) {
 			header( 'Strict-Transport-Security: max-age=7776000' );
 		}
 	}

diff --git a/core/user_api.php b/core/user_api.php
@@ -814,15 +814,10 @@ function user_get_avatar( $p_user_id, $p_size = 80 ) {
 	} else {
 		$t_size = $p_size;
 
-		$t_use_ssl = false;
-		if( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
-			$t_use_ssl = true;
-		}
-
-		if( !$t_use_ssl ) {
-			$t_gravatar_domain = 'http://www.gravatar.com/';
-		} else {
+		if( http_is_protocol_https() ) {
 			$t_gravatar_domain = 'https://secure.gravatar.com/';
+		} else {
+			$t_gravatar_domain = 'http://www.gravatar.com/';
 		}
 
 		$t_avatar_url = $t_gravatar_domain . 'avatar/' . md5( $t_email ) . '?d=identicon&r=G&s=' . $t_size;

diff --git a/file_download.php b/file_download.php
@@ -141,7 +141,7 @@
 # attached files via HTTPS, we disable the "Pragma: no-cache"
 # command when IE is used over HTTPS.
 global $g_allow_file_cache;
-if ( ( isset( $_SERVER["HTTPS"] ) && ( "on" == utf8_strtolower( $_SERVER["HTTPS"] ) ) ) && is_browser_internet_explorer() ) {
+if ( http_is_protocol_https() && is_browser_internet_explorer() ) {
 	# Suppress "Pragma: no-cache" header.
 } else {
 	if ( !isset( $g_allow_file_cache ) ) {
@@ -182,7 +182,7 @@
 					$t_content_type = $t_file_info_type;
 				}
 			}
-			
+
 			if ( $t_content_type_override )
 				$t_content_type = $t_content_type_override;
 
@@ -211,7 +211,7 @@
 				$t_content_type = $t_file_info_type;
 			}
 		}
-		
+
 		if ( $t_content_type_override )
 			$t_content_type = $t_content_type_override;
 
@@ -226,7 +226,7 @@
 				$t_content_type = $t_file_info_type;
 			}
 		}
-		
+
 		if ( $t_content_type_override )
 			$t_content_type = $t_content_type_override;