Skip to content

Commit

Permalink
fixed security issue in phunction_HTTP::Secure() where HTTP_X_FORWARD…
Browse files Browse the repository at this point in the history 
…ED_PROTO could bypass HTTPS
  • Loading branch information
@alixaxel
alixaxel committed Apr 14, 2012
1 parent 08721b6 commit 8583c91
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 2 deletions.
2 changes: 1 addition & 1 deletion phunction.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
* The MIT License
* http://creativecommons.org/licenses/MIT/
*
* phunction 2.5.2 (github.com/alixaxel/phunction/)
* phunction 2.5.3 (github.com/alixaxel/phunction/)
* Copyright (c) 2011 Alix Axel <alix.axel@gmail.com>
**/

Expand Down
7 changes: 6 additions & 1 deletion phunction/HTTP.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,12 @@ public static function Note($key, $value = null, $type = null)

public static function Secure()
{
return in_array(parent::Value($_SERVER, 'HTTP_X_FORWARDED_PROTO', parent::Value($_SERVER, 'HTTPS')), array(1, 'on', 'https'));
if ((in_array(parent::Value($_SERVER, 'HTTPS'), array(1, 'on')) === true) || (strcasecmp('https', parent::Value($_SERVER, 'HTTP_X_FORWARDED_PROTO')) === 0))
{
return true;
}

return false;
}

public static function Sleep($time = 1)
Expand Down

0 comments on commit 8583c91

Please sign in to comment.