From 2aab2c8c84fb9d4aecf8b083002e691f468d9058 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Thu, 30 Jun 2022 10:49:42 +0200
Subject: [PATCH] Explicitly trust `x-forwarded-proto` for Diactoros'
 ServerRequest

This is required to future-proof the Diactoros configuration to be consistent
with RouteHandler::secureConnection().

see https://github.com/laminas/laminas-diactoros/blob/c272a93fc716456599d26bf7cc3281ccb708dabf/docs/book/v2/forward-migration.md
---
 .../files/lib/system/request/RequestHandler.class.php     | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
index 592b711f3e..ee6711e5f6 100644
--- a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
+++ b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
@@ -4,6 +4,7 @@ namespace wcf\system\request;
 
 use Laminas\Diactoros\Response\RedirectResponse;
 use Laminas\Diactoros\ServerRequestFactory;
+use Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders;
 use Laminas\HttpHandlerRunner\Emitter\SapiEmitter;
 use Psr\Http\Message\RequestInterface;
 use Psr\Http\Message\ResponseInterface;
@@ -72,7 +73,12 @@ final class RequestHandler extends SingletonFactory
                 }
             }
 
-            $psrRequest = ServerRequestFactory::fromGlobals();
+            $psrRequest = ServerRequestFactory::fromGlobals(
+                requestFilter: FilterUsingXForwardedHeaders::trustProxies(
+                    ['*'],
+                    [FilterUsingXForwardedHeaders::HEADER_PROTO]
+                )
+            );
 
             $builtRequest = $this->buildRequest($psrRequest, $application);
 
-- 
2.20.1