Gergő Tisza has uploaded a new change for review.
https://gerrit.wikimedia.org/r/291002
Change subject: Do not redirect to HTTPS when it's not supported
......................................................................
Do not redirect to HTTPS when it's not supported
Most URL generation happens via wfExpandUrl, which honors $wgServer
(or whatever setting it is told to use): if it has an explicit
protcol, that is always used; if it is a protocol-relative URL,
the protocol is selected based on the parameters given to wfExpandUrl.
One exception is MediaWiki::main() which always uses HTTPS if the
relevant cookie or user option is set, even if the wiki does not
support it. That can lead to annoying problems on Vagrant where it
is not unusual to turn HTTPS support on and off: when that happens,
the user can get locked out of the account.
Prevent this by using wfExpandUrl to generate the redirect link.
Change-Id: I06982a26cd808f2aaa26753cd3353ed82473d9e0
---
M includes/MediaWiki.php
1 file changed, 28 insertions(+), 25 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/02/291002/1
diff --git a/includes/MediaWiki.php b/includes/MediaWiki.php
index ff469e4..5b1b40a 100644
--- a/includes/MediaWiki.php
+++ b/includes/MediaWiki.php
@@ -673,6 +673,7 @@
$trxProfiler->setExpectations( $trxLimits['GET'],
__METHOD__ );
}
+ $url = $oldUrl = $request->getFullRequestURL();
// If the user has forceHTTPS set to true, or if the user
// is in a group requiring HTTPS, or if they have the HTTPS
// preference set, redirect them to HTTPS.
@@ -693,35 +694,37 @@
)
)
) {
- $oldUrl = $request->getFullRequestURL();
- $redirUrl = preg_replace( '#^http://#', 'https://',
$oldUrl );
-
+ $url = wfExpandUrl( preg_replace( '#^http://#', '//',
$oldUrl ), PROTO_HTTPS );
// ATTENTION: This hook is likely to be removed soon
due to overall design of the system.
- if ( Hooks::run( 'BeforeHttpsRedirect', [
$this->context, &$redirUrl ] ) ) {
-
- if ( $request->wasPosted() ) {
- // This is weird and we'd hope it
almost never happens. This
- // means that a POST came in via HTTP
and policy requires us
- // redirecting to HTTPS. It's likely
such a request is going
- // to fail due to post data being lost,
but let's try anyway
- // and just log the instance.
-
- // @todo FIXME: See if we could issue a
307 or 308 here, need
- // to see how clients (automated &
browser) behave when we do
- wfDebugLog( 'RedirectedPosts',
"Redirected from HTTP to HTTPS: $oldUrl" );
- }
- // Setup dummy Title, otherwise
OutputPage::redirect will fail
- $title = Title::newFromText( 'REDIR', NS_MAIN );
- $this->context->setTitle( $title );
- $output = $this->context->getOutput();
- // Since we only do this redir to change proto,
always send a vary header
- $output->addVaryHeader( 'X-Forwarded-Proto' );
- $output->redirect( $redirUrl );
- $output->output();
- return;
+ if ( !Hooks::run( 'BeforeHttpsRedirect', [
$this->context, &$url ] ) ) {
+ // hook abort, bail out of redirect
+ $url = $oldUrl;
}
}
+ if ( $url !== $oldUrl ) {
+ if ( $request->wasPosted() ) {
+ // This is weird and we'd hope it almost never
happens. This
+ // means that a POST came in via HTTP and
policy requires us
+ // redirecting to HTTPS. It's likely such a
request is going
+ // to fail due to post data being lost, but
let's try anyway
+ // and just log the instance.
+
+ // @todo FIXME: See if we could issue a 307 or
308 here, need
+ // to see how clients (automated & browser)
behave when we do
+ wfDebugLog( 'RedirectedPosts', "Redirected from
HTTP to HTTPS: $oldUrl" );
+ }
+ // Setup dummy Title, otherwise OutputPage::redirect
will fail
+ $title = Title::newFromText( 'REDIR', NS_MAIN );
+ $this->context->setTitle( $title );
+ $output = $this->context->getOutput();
+ // Since we only do this redir to change proto, always
send a vary header
+ $output->addVaryHeader( 'X-Forwarded-Proto' );
+ $output->redirect( $url );
+ $output->output();
+ return;
+ }
+
if ( $this->config->get( 'UseFileCache' ) &&
$title->getNamespace() >= 0 ) {
if ( HTMLFileCache::useFileCache( $this->context ) ) {
// Try low-level file cache hit
--
To view, visit https://gerrit.wikimedia.org/r/291002
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I06982a26cd808f2aaa26753cd3353ed82473d9e0
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Gergő Tisza <gti...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
