From: Tim Düsterhus <duesterhus@woltlab.com>
Date: Thu, 30 Jun 2022 08:49:42 +0000 (+0200)
Subject: Explicitly trust `x-forwarded-proto` for Diactoros' ServerRequest
X-Git-Tag: 6.0.0_Alpha_1~1133^2~2
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=2aab2c8c84fb9d4aecf8b083002e691f468d9058;p=GitHub%2FWoltLab%2FWCF.git

Explicitly trust `x-forwarded-proto` for Diactoros' ServerRequest

This is required to future-proof the Diactoros configuration to be consistent
with RouteHandler::secureConnection().

see https://github.com/laminas/laminas-diactoros/blob/c272a93fc716456599d26bf7cc3281ccb708dabf/docs/book/v2/forward-migration.md
---

diff --git a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
index 592b711f3e..ee6711e5f6 100644
--- a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
+++ b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
@@ -4,6 +4,7 @@ namespace wcf\system\request;
 
 use Laminas\Diactoros\Response\RedirectResponse;
 use Laminas\Diactoros\ServerRequestFactory;
+use Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders;
 use Laminas\HttpHandlerRunner\Emitter\SapiEmitter;
 use Psr\Http\Message\RequestInterface;
 use Psr\Http\Message\ResponseInterface;
@@ -72,7 +73,12 @@ final class RequestHandler extends SingletonFactory
                 }
             }
 
-            $psrRequest = ServerRequestFactory::fromGlobals();
+            $psrRequest = ServerRequestFactory::fromGlobals(
+                requestFilter: FilterUsingXForwardedHeaders::trustProxies(
+                    ['*'],
+                    [FilterUsingXForwardedHeaders::HEADER_PROTO]
+                )
+            );
 
             $builtRequest = $this->buildRequest($psrRequest, $application);