mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 22:10:55 +01:00
Fix security.require-https
by marking redirect as external
Summary: Resolves T5937. HTTPS redirects caused by `security.require-https` use a full scheme, domain and port in the URI. Consequently, this causes invocation of the new external redirect logic and prevents redirection from occurring properly when accessing the HTTP version of Phabricator that has `security.require-https` turned on. I've also fixed the automatic slash redirection logic to add the external flag where appropriate. Test Plan: Configured SSL on my local machine and turned on `security.require-https`. Observed the "Refusing to redirect" exception on master, while the redirect completed successfully with this patch. Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: epriestley, Korvin Maniphest Tasks: T5937 Differential Revision: https://secure.phabricator.com/D10318
This commit is contained in:
parent
1ffa16aa6b
commit
a2a0f002f0
3 changed files with 15 additions and 5 deletions
|
@ -14,7 +14,7 @@ abstract class AphrontApplicationConfiguration {
|
|||
abstract public function getURIMap();
|
||||
abstract public function buildRequest();
|
||||
abstract public function build404Controller();
|
||||
abstract public function buildRedirectController($uri);
|
||||
abstract public function buildRedirectController($uri, $external);
|
||||
|
||||
final public function setRequest(AphrontRequest $request) {
|
||||
$this->request = $request;
|
||||
|
@ -96,7 +96,10 @@ abstract class AphrontApplicationConfiguration {
|
|||
$https_uri = $request->getRequestURI();
|
||||
$https_uri->setDomain($request->getHost());
|
||||
$https_uri->setProtocol('https');
|
||||
return $this->buildRedirectController($https_uri);
|
||||
|
||||
// In this scenario, we'll be redirecting to HTTPS using an absolute
|
||||
// URI, so we need to permit an external redirect.
|
||||
return $this->buildRedirectController($https_uri, true);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -188,7 +191,9 @@ abstract class AphrontApplicationConfiguration {
|
|||
|
||||
if ($controller && !$request->isHTTPPost()) {
|
||||
$slash_uri = $request->getRequestURI()->setPath($path.'/');
|
||||
return $this->buildRedirectController($slash_uri);
|
||||
|
||||
$external = strlen($request->getRequestURI()->getDomain());
|
||||
return $this->buildRedirectController($slash_uri, $external);
|
||||
}
|
||||
}
|
||||
return $this->build404Controller();
|
||||
|
|
|
@ -300,11 +300,12 @@ class AphrontDefaultApplicationConfiguration
|
|||
return array(new Phabricator404Controller($this->getRequest()), array());
|
||||
}
|
||||
|
||||
public function buildRedirectController($uri) {
|
||||
public function buildRedirectController($uri, $external) {
|
||||
return array(
|
||||
new PhabricatorRedirectController($this->getRequest()),
|
||||
array(
|
||||
'uri' => $uri,
|
||||
'external' => $external,
|
||||
));
|
||||
}
|
||||
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
final class PhabricatorRedirectController extends PhabricatorController {
|
||||
|
||||
private $uri;
|
||||
private $allowExternal;
|
||||
|
||||
public function shouldRequireLogin() {
|
||||
return false;
|
||||
|
@ -14,10 +15,13 @@ final class PhabricatorRedirectController extends PhabricatorController {
|
|||
|
||||
public function willProcessRequest(array $data) {
|
||||
$this->uri = $data['uri'];
|
||||
$this->allowExternal = idx($data, 'external', false);
|
||||
}
|
||||
|
||||
public function processRequest() {
|
||||
return id(new AphrontRedirectResponse())->setURI($this->uri);
|
||||
return id(new AphrontRedirectResponse())
|
||||
->setURI($this->uri)
|
||||
->setIsExternal($this->allowExternal);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue