Explicitly trust `x-forwarded-proto` for Diactoros' ServerRequest

This is required to future-proof the Diactoros configuration to be consistent
with RouteHandler::secureConnection().

see https://github.com/laminas/laminas-diactoros/blob/c272a93fc716456599d26bf7cc3281ccb708dabf/docs/book/v2/forward-migration.md

diff --git a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
index 592b711f3e4ac440e6ca98f323bb2c1ab77ccd45..ee6711e5f66c5ec7bfd07e5a591c21d8c62742aa 100644 (file)
--- a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
+++ b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
@@ -4,6 +4,7 @@ namespace wcf\system\request;
 
 use Laminas\Diactoros\Response\RedirectResponse;
 use Laminas\Diactoros\ServerRequestFactory;
+use Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders;
 use Laminas\HttpHandlerRunner\Emitter\SapiEmitter;
 use Psr\Http\Message\RequestInterface;
 use Psr\Http\Message\ResponseInterface;
@@ -72,7 +73,12 @@ final class RequestHandler extends SingletonFactory
                 }
             }
 
-            $psrRequest = ServerRequestFactory::fromGlobals();
+            $psrRequest = ServerRequestFactory::fromGlobals(
+                requestFilter: FilterUsingXForwardedHeaders::trustProxies(
+                    ['*'],
+                    [FilterUsingXForwardedHeaders::HEADER_PROTO]
+                )
+            );
 
             $builtRequest = $this->buildRequest($psrRequest, $application);