Allow for finding the request scheme via other methods if REQUEST_SCHEME doesn't exist.

Matt Schwager · Matt Schwager · commit c441e3dfb438 · 2015-05-08T11:23:57.000-04:00
diff --git a/libs/csrf/csrfprotector.php b/libs/csrf/csrfprotector.php
@@ -422,8 +422,19 @@ private static function logCSRFattack()
 		 */
 		private static function getCurrentUrl()
 		{
-			return $_SERVER['REQUEST_SCHEME'] .'://'
-				.$_SERVER['HTTP_HOST'] .$_SERVER['PHP_SELF'];
+			$request_scheme = 'https';
+
+			if (isset($_SERVER['REQUEST_SCHEME'])) {
+				$request_scheme = $_SERVER['REQUEST_SCHEME'];
+			} else {
+				if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') {
+					$request_scheme = 'https';
+				} else {
+					$request_scheme = 'http';
+				}
+			}
+
+			return $request_scheme . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
 		}
 
 		/*
