Redirect insecure requests to the frontend

WoltLab · Jun 22, 2024 · 169dd10 · 169dd10
1 parent 81689d8
commit 169dd10
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 0 deletions.
diff --git a/wcfsetup/install/files/lib/http/middleware/CheckForTls.class.php b/wcfsetup/install/files/lib/http/middleware/CheckForTls.class.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace wcf\http\middleware;
+
+use Laminas\Diactoros\Response\RedirectResponse;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use wcf\system\request\RequestHandler;
+use wcf\system\request\RouteHandler;
+use wcf\util\HeaderUtil;
+
+/**
+ * Checks if the request is for the frontend and originates from an insecure context.
+ *
+ * @author Alexander Ebert
+ * @copyright 2001-2024 WoltLab GmbH
+ * @license GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
+ * @since 6.1
+ */
+final class CheckForTls implements MiddlewareInterface
+{
+ #[\Override]
+ public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+ {
+ if (RequestHandler::getInstance()->isACPRequest()) {
+ return $handler->handle($request);
+ }
+
+ if (RouteHandler::secureContext()) {
+ return $handler->handle($request);
+ }
+
+ return $this->redirectToHttps($request);
+ }
+
+ private function redirectToHttps(ServerRequestInterface $request): ResponseInterface
+ {
+ $uri = $request->getUri()->withScheme('https');
+
+ return HeaderUtil::withNoCacheHeaders(
+ new RedirectResponse($uri)
+ );
+ }
+}
diff --git a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
@@ -20,6 +20,7 @@
 use wcf\http\middleware\CheckForForceLogin;
 use wcf\http\middleware\CheckForMultifactorRequirement;
 use wcf\http\middleware\CheckForOfflineMode;
+use wcf\http\middleware\CheckForTls;
 use wcf\http\middleware\CheckHttpMethod;
 use wcf\http\middleware\CheckSystemEnvironment;
 use wcf\http\middleware\CheckUserBan;
@@ -144,6 +145,7 @@ public function handle(string $application = 'wcf', bool $isACPRequest = false):
  new EnforceAcpAuthentication(),
  new CheckForEnterpriseNonOwnerAccess(),
  new CheckForExpiredAppEvaluation(),
+ new CheckForTls(),
  new CheckForOfflineMode(),
  new CheckForForceLogin(),
  new CheckForMultifactorRequirement(),