ZF-9919: Wrong scheme set in Zend_View_Helper_ServerUrl constructor
Description
Hi
I'm reporting a bug in the Zend_View_Helper_ServerUrl constructor. During my works I found that I was on a SSL-encrypted page but found links which weren't using the https scheme. After clicking on these I wasn't on a secure page anymore (security risk, therefore critical).
These templates were calling serverUrl() which is a method of the Zend_View_Helper_ServerUrl class. So I found out that its constructor isn't setting the scheme properly because it doesn't parse $_SERVER properly. Currently it parses only $_SERVER['HTTPS'] to find out if the current page is SSL encrypted or not.
Ideally we also should parse $_SERVER['HTTP_SCHEME'] and $_SERVER['SERVER_PORT'], here a temporary solution which works for me:
public function __construct()
{
if ((isset($_SERVER['HTTPS']) &&
(strcasecmp($_SERVER['HTTPS'], 'on') === 0 ||
$_SERVER['HTTPS'] === true)) ||
(isset($_SERVER['HTTP_SCHEME']) &&
(strcasecmp($_SERVER['HTTP_SCHEME'], 'https') === 0)) ||
(isset($_SERVER['SERVER_PORT']) &&
$_SERVER['SERVER_PORT'] == 443)) {
$scheme = 'https';
} else {
$scheme = 'http';
}
$_SERVER['HTTP_SCHEME'] is used when pages have been redirected by nginx, so we can't ignore that. Many thanks for your attention and bugfixing it.
Comments
Posted by Michael Heuberger (michael.heuberger) on 2010-06-01T16:47:53.000+0000
Probably this isn't a bug. But can you give at least subclasses a chance to tell the constructor in which indexes of $_SERVER it should parse for any indications that the current request is a SSL one?
Probably a protected method returning an array, by default array('HTTPS') which could be overwritten in my subclass with array('HTTPS', 'HTTP_SCHEME')
Thanks!
Posted by Ryan Mauger (bittarman) on 2010-11-18T12:51:14.000+0000
Committed in r23370, merged to release 1.11 in r23371