Merge pull request dokuwiki#4466 from dokuwiki/trustedproxies

Remove remaining uses of old proxy settings

Author: splitbrain

_test/tests/inc/Ip.test.php renamed to _test/tests/inc/IpTest.php

@@ -1,8 +1,11 @@
 <?php
 
+namespace dokuwiki\test;
+
+use dokuwiki\Input\Input;
 use dokuwiki\Ip;
 
-class ip_test extends DokuWikiTest {
+class IpTest extends \DokuWikiTest {
 
     /**
      * The data provider for ipToNumber() tests.
@@ -294,4 +297,141 @@ public function test_forwarded_for($config, string $header, string $remoteAddr,
 
         $this->assertSame($expected, $result);
     }
+
+    /**
+     * Data provider for test_is_ssl().
+     *
+     * @return mixed[][] Returns an array of test cases.
+     */
+    public function is_ssl_provider(): array
+    {
+        // The new default configuration value.
+        $default = ['::1', 'fe80::/10', '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'];
+
+        $tests = [
+            // Running behind an SSL proxy, HTTP between server and proxy
+            // Proxy (REMOTE_ADDR) is matched by trustedproxies config
+            // HTTPS not set, HTTP_X_FORWARDED_PROTO set to https
+            [$default, '127.0.0.1', '', 'https', true],
+
+            // Running behind an SSL proxy, HTTP between server and proxy
+            // Proxy (REMOTE_ADDR) is not matched by trustedproxies config
+            // HTTPS not set, HTTP_X_FORWARDED_PROTO set to https
+            [[], '8.8.8.8', '', 'https', false],
+
+            // Running behind a plain HTTP proxy, HTTP between server and proxy
+            // HTTPS not set, HTTP_X_FORWARDED_PROTO set to http
+            [$default, '127.0.0.1', '', 'http', false],
+
+            // Running behind an SSL proxy, HTTP between server and proxy
+            // HTTPS set to off, HTTP_X_FORWARDED_PROTO set to https
+            [$default, '127.0.0.1', 'off', 'https', true],
+
+            // Not running behind a proxy, HTTPS server
+            // HTTPS set to on, HTTP_X_FORWARDED_PROTO not set
+            [[], '8.8.8.8', 'on', '', true],
+
+            // Not running behind a proxy, plain HTTP server
+            // HTTPS not set, HTTP_X_FORWARDED_PROTO not set
+            [[], '8.8.8.8', '', '', false],
+
+            // Not running behind a proxy, plain HTTP server
+            // HTTPS set to off, HTTP_X_FORWARDED_PROTO not set
+            [[], '8.8.8.8', 'off', '', false],
+
+            // Running behind an SSL proxy, SSL between proxy and HTTP server
+            // HTTPS set to on, HTTP_X_FORWARDED_PROTO set to https
+            [$default, '127.0.0.1', 'on', 'https', true],
+        ];
+
+        return $tests;
+    }
+
+    /**
+     * Test isSsl().
+     *
+     * @dataProvider is_ssl_provider
+     *
+     * @param string|string[] $config           The trustedproxies config value.
+     * @param string          $remoteAddr       The REMOTE_ADDR value.
+     * @param string          $https            The HTTPS value.
+     * @param string          $forwardedProto   The HTTP_X_FORWARDED_PROTO value.
+     * @param bool            $expected         The expected result from isSsl().
+     *
+     * @return void
+     */
+    public function test_is_ssl($config, string $remoteAddr, string $https, string $forwardedProto, bool $expected): void
+    {
+        /* @var Input $INPUT */
+        global $INPUT, $conf;
+
+        $conf['trustedproxies'] = $config;
+        $INPUT->server->set('REMOTE_ADDR', $remoteAddr);
+        $INPUT->server->set('HTTPS', $https);
+        $INPUT->server->set('HTTP_X_FORWARDED_PROTO', $forwardedProto);
+
+        $result = Ip::isSsl();
+
+        $this->assertSame($expected, $result);
+    }
+
+    /**
+     * Data provider for test_host_name().
+     *
+     * @return mixed[][] Returns an array of test cases.
+     */
+    public function host_name_provider(): array
+    {
+        // The new default configuration value.
+        $default = ['::1', 'fe80::/10', '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'];
+
+        $tests = [
+            // X-Forwarded-Host with trusted proxy
+            [$default, '127.0.0.1', 'proxy.example.com', 'www.example.com', 'server.local', 'proxy.example.com'],
+
+            // X-Forwarded-Host with untrusted proxy (should fall back to HTTP_HOST)
+            [[], '8.8.8.8', 'proxy.example.com', 'www.example.com', 'server.local', 'www.example.com'],
+
+            // No X-Forwarded-Host, use HTTP_HOST
+            [$default, '127.0.0.1', '', 'www.example.com', 'server.local', 'www.example.com'],
+
+            // No X-Forwarded-Host or HTTP_HOST, use SERVER_NAME
+            [$default, '127.0.0.1', '', '', 'server.local', 'server.local'],
+
+            // No headers set, should fall back to system hostname
+            [$default, '127.0.0.1', '', '', '', php_uname('n')],
+        ];
+
+        return $tests;
+    }
+
+    /**
+     * Test hostName().
+     *
+     * @dataProvider host_name_provider
+     *
+     * @param string|string[] $config           The trustedproxies config value.
+     * @param string          $remoteAddr       The REMOTE_ADDR value.
+     * @param string          $forwardedHost    The HTTP_X_FORWARDED_HOST value.
+     * @param string          $httpHost         The HTTP_HOST value.
+     * @param string          $serverName       The SERVER_NAME value.
+     * @param string          $expected         The expected result from hostName().
+     *
+     * @return void
+     */
+    public function test_host_name($config, string $remoteAddr, string $forwardedHost, string $httpHost, string $serverName, string $expected): void
+    {
+        /* @var Input $INPUT */
+        global $INPUT, $conf;
+
+        $conf['trustedproxies'] = $config;
+        $INPUT->server->set('REMOTE_ADDR', $remoteAddr);
+        $INPUT->server->set('HTTP_X_FORWARDED_HOST', $forwardedHost);
+        $INPUT->server->set('HTTP_HOST', $httpHost);
+        $INPUT->server->set('SERVER_NAME', $serverName);
+
+        $result = Ip::hostName();
+
+        $this->assertSame($expected, $result);
+    }
 }

_test/tests/inc/init_checkssl.test.php

@@ -1,7 +1,7 @@
 <?php
 
 /**
- * DokuWiki IP address functions.
+ * DokuWiki IP address and reverse proxy functions.
  *
  * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
  * @author     Zebra North <[email protected]>
@@ -280,4 +280,53 @@ public static function clientIps(): array
 
         return $ips;
     }
+
+    /**
+     * Get the host name of the server.
+     *
+     * The host name is sourced from, in order of preference:
+     *
+     *   - The X-Forwarded-Host header if it exists and the proxies are trusted.
+     *   - The HTTP_HOST header.
+     *   - The SERVER_NAME header.
+     *   - The system's host name.
+     *
+     * @return string Returns the host name of the server.
+     */
+    public static function hostName(): string
+    {
+        /* @var Input $INPUT */
+        global $INPUT;
+
+        $remoteAddr = $INPUT->server->str('REMOTE_ADDR');
+        if ($INPUT->server->str('HTTP_X_FORWARDED_HOST') && self::proxyIsTrusted($remoteAddr)) {
+            return $INPUT->server->str('HTTP_X_FORWARDED_HOST');
+        } elseif ($INPUT->server->str('HTTP_HOST')) {
+            return $INPUT->server->str('HTTP_HOST');
+        } elseif ($INPUT->server->str('SERVER_NAME')) {
+            return $INPUT->server->str('SERVER_NAME');
+        } else {
+            return php_uname('n');
+        }
+    }
+
+    /**
+     * Is the connection using the HTTPS protocol?
+     *
+     * Will use the X-Forwarded-Proto header if it exists and the proxies are trusted, otherwise
+     * the HTTPS environment is used.
+     *
+     * @return bool
+     */
+    public static function isSsl(): bool
+    {
+        /* @var Input $INPUT */
+        global $INPUT;
+
+        $remoteAddr = $INPUT->server->str('REMOTE_ADDR');
+        if ($INPUT->server->has('HTTP_X_FORWARDED_PROTO') && self::proxyIsTrusted($remoteAddr)) {
+            return $INPUT->server->str('HTTP_X_FORWARDED_PROTO') === 'https';
+        }
+        return !preg_match('/^(|off|false|disabled)$/i', $INPUT->server->str('HTTPS', 'off'));
+    }
 }

inc/Ip.php

@@ -536,7 +536,7 @@ function auth_logoff($keepbc = false)
     setcookie(DOKU_COOKIE, '', [
         'expires' => time() - 600000,
         'path' => $cookieDir,
-        'secure' => ($conf['securecookie'] && is_ssl()),
+        'secure' => ($conf['securecookie'] && \dokuwiki\Ip::isSsl()),
         'httponly' => true,
         'samesite' => $conf['samesitecookie'] ?: null, // null means browser default
     ]);
@@ -1402,7 +1402,7 @@ function auth_setCookie($user, $pass, $sticky)
     setcookie(DOKU_COOKIE, $cookie, [
         'expires' => $time,
         'path' => $cookieDir,
-        'secure' => ($conf['securecookie'] && is_ssl()),
+        'secure' => ($conf['securecookie'] && \dokuwiki\Ip::isSsl()),
         'httponly' => true,
         'samesite' => $conf['samesitecookie'] ?: null, // null means browser default
     ]);

inc/auth.php

@@ -1957,7 +1957,7 @@ function set_doku_pref($pref, $val)
         setcookie('DOKU_PREFS', $cookieVal, [
             'expires' => time() + 365 * 24 * 3600,
             'path' => $cookieDir,
-            'secure' => ($conf['securecookie'] && is_ssl()),
+            'secure' => ($conf['securecookie'] && Ip::isSsl()),
             'samesite' => 'Lax'
         ]);
     }