ZF-9919: Wrong scheme set in Zend_View_Helper_ServerUrl constructor

Description

Hi

I'm reporting a bug in the Zend_View_Helper_ServerUrl constructor. During my works I found that I was on a SSL-encrypted page but found links which weren't using the https scheme. After clicking on these I wasn't on a secure page anymore (security risk, therefore critical).

These templates were calling serverUrl() which is a method of the Zend_View_Helper_ServerUrl class. So I found out that its constructor isn't setting the scheme properly because it doesn't parse $_SERVER properly. Currently it parses only $_SERVER['HTTPS'] to find out if the current page is SSL encrypted or not.

Ideally we also should parse $_SERVER['HTTP_SCHEME'] and $_SERVER['SERVER_PORT'], here a temporary solution which works for me:

 
    public function __construct()
    {
        if ((isset($_SERVER['HTTPS']) &&
                    (strcasecmp($_SERVER['HTTPS'], 'on') === 0 ||
                        $_SERVER['HTTPS'] === true)) ||

            (isset($_SERVER['HTTP_SCHEME']) &&
                (strcasecmp($_SERVER['HTTP_SCHEME'], 'https') === 0)) ||

            (isset($_SERVER['SERVER_PORT']) &&
                $_SERVER['SERVER_PORT'] == 443)) {

            $scheme = 'https';

        } else {
            $scheme = 'http';
        }

$_SERVER['HTTP_SCHEME'] is used when pages have been redirected by nginx, so we can't ignore that. Many thanks for your attention and bugfixing it.

Comments

Probably this isn't a bug. But can you give at least subclasses a chance to tell the constructor in which indexes of $_SERVER it should parse for any indications that the current request is a SSL one?

Probably a protected method returning an array, by default array('HTTPS') which could be overwritten in my subclass with array('HTTPS', 'HTTP_SCHEME')

Thanks!

Committed in r23370, merged to release 1.11 in r23371