Enforce the https scheme in PackageUpdateServer

diff --git a/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php b/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
index 5bb6a1b8d3110525d8e2c29ba653ad309548fd3e..a74b2349b211e0db2ce0d9ccf4ce2d02471681f4 100644 (file)
--- a/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
+++ b/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
@@ -2,9 +2,9 @@
 
 namespace wcf\data\package\update\server;
 
+use Laminas\Diactoros\Uri;
 use wcf\data\DatabaseObject;
 use wcf\system\cache\builder\PackageUpdateCacheBuilder;
-use wcf\system\io\RemoteFile;
 use wcf\system\Regex;
 use wcf\system\registry\RegistryHandler;
 use wcf\system\WCF;
@@ -244,23 +244,21 @@ class PackageUpdateServer extends DatabaseObject
     /**
      * Returns the list endpoint for package servers.
      *
-     * @param bool $forceHTTP
      * @return  string
      */
-    public function getListURL($forceHTTP = false)
+    public function getListURL()
     {
-        if ($this->apiVersion == '2.0') {
-            return $this->serverURL;
-        }
+        $url = new Uri($this->serverURL);
 
-        $serverURL = FileUtil::addTrailingSlash($this->serverURL) . 'list/' . WCF::getLanguage()->getFixedLanguageCode() . '.xml';
+        if ($url->getHost() !== 'localhost') {
+            $url = $url->withScheme('https');
+        }
 
-        $metaData = $this->getMetaData();
-        if ($forceHTTP || !RemoteFile::supportsSSL() || !$metaData['ssl']) {
-            return \preg_replace('~^https://~', 'http://', $serverURL);
+        if ($this->apiVersion == '2.0') {
+            return (string)$url;
         }
 
-        return \preg_replace('~^http://~', 'https://', $serverURL);
+        return FileUtil::addTrailingSlash((string)$url) . 'list/' . WCF::getLanguage()->getFixedLanguageCode() . '.xml';
     }
 
     /**
@@ -270,16 +268,13 @@ class PackageUpdateServer extends DatabaseObject
      */
     public function getDownloadURL()
     {
-        if ($this->apiVersion == '2.0') {
-            return $this->serverURL;
-        }
+        $url = new Uri($this->serverURL);
 
-        $metaData = $this->getMetaData();
-        if (!RemoteFile::supportsSSL() || !$metaData['ssl']) {
-            return \preg_replace('~^https://~', 'http://', $this->serverURL);
+        if ($url->getHost() !== 'localhost') {
+            $url = $url->withScheme('https');
         }
 
-        return \preg_replace('~^http://~', 'https://', $this->serverURL);
+        return (string)$url;
     }
 
     /**
@@ -293,22 +288,11 @@ class PackageUpdateServer extends DatabaseObject
     }
 
     /**
-     * Returns true if a request to this server would make use of a secure connection.
-     *
-     * @return  bool
+     * @deprecated 5.6 This method always returns true. Package servers must use TLS.
      */
     public function attemptSecureConnection()
     {
-        if ($this->apiVersion == '2.0') {
-            return false;
-        }
-
-        $metaData = $this->getMetaData();
-        if (RemoteFile::supportsSSL() && $metaData['ssl']) {
-            return true;
-        }
-
-        return false;
+        return true;
     }
 
     /**

diff --git a/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php b/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php
index ed32ce6af875389cb9c6220ab5dce50fe55ebdb0..dfdf9ce9592111f52d56761bd2f64a4ade7dc0cc 100644 (file)
--- a/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php
+++ b/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php
@@ -152,11 +152,6 @@ class PackageUpdateDispatcher extends SingletonFactory
             $settings['auth'] = $authData;
         }
 
-        $secureConnection = $updateServer->attemptSecureConnection();
-        if ($secureConnection) {
-            $settings['timeout'] = 5;
-        }
-
         $request = new HTTPRequest($updateServer->getListURL(), $settings);
 
         $requestedVersion = \wcf\getMinorVersion();