From: Alexander Ebert <ebert@woltlab.com>
Date: Sat, 22 Jun 2024 17:23:51 +0000 (+0200)
Subject: Redirect insecure requests to the frontend
X-Git-Tag: 6.1.0_Alpha_1~48^2~2
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=169dd10019c606d60d5a0a771881b9872f693d04;p=GitHub%2FWoltLab%2FWCF.git

Redirect insecure requests to the frontend
---

diff --git a/wcfsetup/install/files/lib/http/middleware/CheckForTls.class.php b/wcfsetup/install/files/lib/http/middleware/CheckForTls.class.php
new file mode 100644
index 0000000000..8fc785dfa4
--- /dev/null
+++ b/wcfsetup/install/files/lib/http/middleware/CheckForTls.class.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace wcf\http\middleware;
+
+use Laminas\Diactoros\Response\RedirectResponse;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use wcf\system\request\RequestHandler;
+use wcf\system\request\RouteHandler;
+use wcf\util\HeaderUtil;
+
+/**
+ * Checks if the request is for the frontend and originates from an insecure context.
+ *
+ * @author      Alexander Ebert
+ * @copyright   2001-2024 WoltLab GmbH
+ * @license     GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
+ * @since       6.1
+ */
+final class CheckForTls implements MiddlewareInterface
+{
+    #[\Override]
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        if (RequestHandler::getInstance()->isACPRequest()) {
+            return $handler->handle($request);
+        }
+
+        if (RouteHandler::secureContext()) {
+            return $handler->handle($request);
+        }
+
+        return $this->redirectToHttps($request);
+    }
+
+    private function redirectToHttps(ServerRequestInterface $request): ResponseInterface
+    {
+        $uri = $request->getUri()->withScheme('https');
+
+        return HeaderUtil::withNoCacheHeaders(
+            new RedirectResponse($uri)
+        );
+    }
+}
diff --git a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
index 6ce5f4261f..b4c06bf17c 100644
--- a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
+++ b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
@@ -20,6 +20,7 @@ use wcf\http\middleware\CheckForExpiredAppEvaluation;
 use wcf\http\middleware\CheckForForceLogin;
 use wcf\http\middleware\CheckForMultifactorRequirement;
 use wcf\http\middleware\CheckForOfflineMode;
+use wcf\http\middleware\CheckForTls;
 use wcf\http\middleware\CheckHttpMethod;
 use wcf\http\middleware\CheckSystemEnvironment;
 use wcf\http\middleware\CheckUserBan;
@@ -144,6 +145,7 @@ final class RequestHandler extends SingletonFactory
                     new EnforceAcpAuthentication(),
                     new CheckForEnterpriseNonOwnerAccess(),
                     new CheckForExpiredAppEvaluation(),
+                    new CheckForTls(),
                     new CheckForOfflineMode(),
                     new CheckForForceLogin(),
                     new CheckForMultifactorRequirement(),