Preserve nonstandard ports during 404 redirects which add "/" to the ends of URIs

Summary: Fixes T12058. When the user visits `/maniphest`, for example, we redirect to `/maniphest/`. Since this redirect is very low-level (at the Aphront level, below the Site level) we need to preserve the request Host rather than correct it to `PhabricatorEnv::getURI()` or similar -- the request may be hiting a different Site like a blog domain. Currently, we do not preserve the port. Instead, preserve the port if it is not a standard port for the protocol (80 for http, 443 for https). Test Plan: - Made a request with a missing slash and a normal port in my browser, got redirected normally. - Made a request with a missing slash and a nonstandard port, got redirected on the same port. ``` $ curl -H 'Host: local.phacility.com:123' -v http://local.phacility.com/diffusion * Trying 127.0.0.1... * Connected to local.phacility.com (127.0.0.1) port 80 (#0) > GET /diffusion HTTP/1.1 ... > < HTTP/1.1 302 Found ... < Location: http://local.phacility.com:123/diffusion/ ... ``` Reviewers: chad Reviewed By: chad Maniphest Tasks: T12058 Differential Revision: https://secure.phabricator.com/D17134
2024-12-19 03:50:54 +01:00 · 2017-01-03 09:50:16 -08:00 · 2017-01-03 09:50:16 -08:00 · c07ec8fee6
commit c07ec8fee6
parent 489587d607
1 changed files with 25 additions and 1 deletions
--- a/src/aphront/AphrontRequest.php
+++ b/src/aphront/AphrontRequest.php
@ -548,7 +548,31 @@ final class AphrontRequest extends Phobject {
  public function getAbsoluteRequestURI() {
    $uri = $this->getRequestURI();
    $uri->setDomain($this->getHost());
-    $uri->setProtocol($this->isHTTPS() ? 'https' : 'http');
+
+    if ($this->isHTTPS()) {
+      $protocol = 'https';
+    } else {
+      $protocol = 'http';
+    }
+
+    $uri->setProtocol($protocol);
+
+    // If the request used a nonstandard port, preserve it while building the
+    // absolute URI.
+
+    // First, get the default port for the request protocol.
+    $default_port = id(new PhutilURI($protocol.'://example.com/'))
+      ->getPortWithProtocolDefault();
+
+    // NOTE: See note in getHost() about malicious "Host" headers. This
+    // construction defuses some obscure potential attacks.
+    $port = id(new PhutilURI($protocol.'://'.$this->host))
+      ->getPort();
+
+    if (($port !== null) && ($port !== $default_port)) {
+      $uri->setPort($port);
+    }
+
    return $uri;
  }