Gergő Tisza has uploaded a new change for review. https://gerrit.wikimedia.org/r/291002
Change subject: Do not redirect to HTTPS when it's not supported ...................................................................... Do not redirect to HTTPS when it's not supported Most URL generation happens via wfExpandUrl, which honors $wgServer (or whatever setting it is told to use): if it has an explicit protcol, that is always used; if it is a protocol-relative URL, the protocol is selected based on the parameters given to wfExpandUrl. One exception is MediaWiki::main() which always uses HTTPS if the relevant cookie or user option is set, even if the wiki does not support it. That can lead to annoying problems on Vagrant where it is not unusual to turn HTTPS support on and off: when that happens, the user can get locked out of the account. Prevent this by using wfExpandUrl to generate the redirect link. Change-Id: I06982a26cd808f2aaa26753cd3353ed82473d9e0 --- M includes/MediaWiki.php 1 file changed, 28 insertions(+), 25 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/02/291002/1 diff --git a/includes/MediaWiki.php b/includes/MediaWiki.php index ff469e4..5b1b40a 100644 --- a/includes/MediaWiki.php +++ b/includes/MediaWiki.php @@ -673,6 +673,7 @@ $trxProfiler->setExpectations( $trxLimits['GET'], __METHOD__ ); } + $url = $oldUrl = $request->getFullRequestURL(); // If the user has forceHTTPS set to true, or if the user // is in a group requiring HTTPS, or if they have the HTTPS // preference set, redirect them to HTTPS. @@ -693,35 +694,37 @@ ) ) ) { - $oldUrl = $request->getFullRequestURL(); - $redirUrl = preg_replace( '#^http://#', 'https://', $oldUrl ); - + $url = wfExpandUrl( preg_replace( '#^http://#', '//', $oldUrl ), PROTO_HTTPS ); // ATTENTION: This hook is likely to be removed soon due to overall design of the system. - if ( Hooks::run( 'BeforeHttpsRedirect', [ $this->context, &$redirUrl ] ) ) { - - if ( $request->wasPosted() ) { - // This is weird and we'd hope it almost never happens. This - // means that a POST came in via HTTP and policy requires us - // redirecting to HTTPS. It's likely such a request is going - // to fail due to post data being lost, but let's try anyway - // and just log the instance. - - // @todo FIXME: See if we could issue a 307 or 308 here, need - // to see how clients (automated & browser) behave when we do - wfDebugLog( 'RedirectedPosts', "Redirected from HTTP to HTTPS: $oldUrl" ); - } - // Setup dummy Title, otherwise OutputPage::redirect will fail - $title = Title::newFromText( 'REDIR', NS_MAIN ); - $this->context->setTitle( $title ); - $output = $this->context->getOutput(); - // Since we only do this redir to change proto, always send a vary header - $output->addVaryHeader( 'X-Forwarded-Proto' ); - $output->redirect( $redirUrl ); - $output->output(); - return; + if ( !Hooks::run( 'BeforeHttpsRedirect', [ $this->context, &$url ] ) ) { + // hook abort, bail out of redirect + $url = $oldUrl; } } + if ( $url !== $oldUrl ) { + if ( $request->wasPosted() ) { + // This is weird and we'd hope it almost never happens. This + // means that a POST came in via HTTP and policy requires us + // redirecting to HTTPS. It's likely such a request is going + // to fail due to post data being lost, but let's try anyway + // and just log the instance. + + // @todo FIXME: See if we could issue a 307 or 308 here, need + // to see how clients (automated & browser) behave when we do + wfDebugLog( 'RedirectedPosts', "Redirected from HTTP to HTTPS: $oldUrl" ); + } + // Setup dummy Title, otherwise OutputPage::redirect will fail + $title = Title::newFromText( 'REDIR', NS_MAIN ); + $this->context->setTitle( $title ); + $output = $this->context->getOutput(); + // Since we only do this redir to change proto, always send a vary header + $output->addVaryHeader( 'X-Forwarded-Proto' ); + $output->redirect( $url ); + $output->output(); + return; + } + if ( $this->config->get( 'UseFileCache' ) && $title->getNamespace() >= 0 ) { if ( HTMLFileCache::useFileCache( $this->context ) ) { // Try low-level file cache hit -- To view, visit https://gerrit.wikimedia.org/r/291002 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I06982a26cd808f2aaa26753cd3353ed82473d9e0 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: Gergő Tisza <gti...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits