ZF-9919: Wrong scheme set in Zend_View_Helper_ServerUrl constructor

Issue Type: Bug Created: 2010-05-31T04:58:19.000+0000 Last Updated: 2010-11-20T09:21:26.000+0000 Status: Resolved Fix version(s): - 1.11.1 (30/Nov/10)

Reporter: Michael Heuberger (michael.heuberger) Assignee: Ryan Mauger (bittarman) Tags: - Zend_View

Related issues: Attachments:



I'm reporting a bug in the Zend_View_Helper_ServerUrl constructor. During my works I found that I was on a SSL-encrypted page but found links which weren't using the https scheme. After clicking on these I wasn't on a secure page anymore (security risk, therefore critical).

These templates were calling serverUrl() which is a method of the Zend_View_Helper_ServerUrl class. So I found out that its constructor isn't setting the scheme properly because it doesn't parse $_SERVER properly. Currently it parses only $_SERVER['HTTPS'] to find out if the current page is SSL encrypted or not.

Ideally we also should parse $_SERVER['HTTP_SCHEME'] and $_SERVER['SERVER_PORT'], here a temporary solution which works for me:

<pre class="highlight"> 
    public function __construct()
        if ((isset($_SERVER['HTTPS']) &&
                    (strcasecmp($_SERVER['HTTPS'], 'on') === 0 ||
                        $_SERVER['HTTPS'] === true)) ||

            (isset($_SERVER['HTTP_SCHEME']) &&
                (strcasecmp($_SERVER['HTTP_SCHEME'], 'https') === 0)) ||

            (isset($_SERVER['SERVER_PORT']) &&
                $_SERVER['SERVER_PORT'] == 443)) {

            $scheme = 'https';

        } else {
            $scheme = 'http';

$_SERVER['HTTP_SCHEME'] is used when pages have been redirected by nginx, so we can't ignore that. Many thanks for your attention and bugfixing it.


Posted by Michael Heuberger (michael.heuberger) on 2010-06-01T16:47:53.000+0000

Probably this isn't a bug. But can you give at least subclasses a chance to tell the constructor in which indexes of $_SERVER it should parse for any indications that the current request is a SSL one?

Probably a protected method returning an array, by default array('HTTPS') which could be overwritten in my subclass with array('HTTPS', 'HTTP_SCHEME')


Posted by Ryan Mauger (bittarman) on 2010-11-18T12:51:14.000+0000

Committed in r23370, merged to release 1.11 in r23371

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.