make sure we prefer forwarded proto header over regular header (#10081)

e2baedc4 · Thomas Steur · Matthieu Aubry · 7b7df744 · e2baedc4 · e2baedc4
--- a/core/Url.php
+++ b/core/Url.php
@@ -711,6 +711,10 @@ class Url
     */
    protected static function getCurrentSchemeFromRequestHeader()
    {
+        if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'http') {
+            return 'http';
+        }
+
        if ((isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on' || $_SERVER['HTTPS'] === true))
            || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
        ) {

--- a/tests/PHPUnit/Unit/UrlTest.php
+++ b/tests/PHPUnit/Unit/UrlTest.php
@@ -72,6 +72,43 @@ class UrlTest extends \PHPUnit_Framework_TestCase
        $this->assertEquals($test[4], Url::getCurrentHost(), $description);
    }

+    /**
+     * @dataProvider getProtocol
+     */
+    public function test_getCurrentScheme_ProtoHeaderShouldPrecedenceHttpsHeader($proto)
+    {
+        $_SERVER['HTTPS'] = 'on';
+        $_SERVER['HTTP_X_FORWARDED_PROTO'] = $proto;
+        $this->assertEquals($proto, Url::getCurrentScheme());
+
+        unset($_SERVER['HTTP_X_FORWARDED_PROTO']);
+        unset($_SERVER['HTTPS']);
+    }
+
+    /**
+     * @dataProvider getProtocol
+     */
+    public function test_getCurrentScheme_shouldDetectSecureFromHttpsHeader()
+    {
+        $_SERVER['HTTPS'] = 'on';
+        $this->assertEquals('https', Url::getCurrentScheme());
+
+        unset($_SERVER['HTTPS']);
+    }
+
+    /**
+     * @dataProvider getProtocol
+     */
+    public function test_getCurrentScheme_shouldBeHttpByDefault()
+    {
+        $this->assertEquals('http', Url::getCurrentScheme());
+    }
+
+    public function getProtocol()
+    {
+        return array(array('http'), array('https'));
+    }
+
    /**
     * Dataprovider for testIsLocalUrl
     */