From 7554a87afcdbad71d7d8fed40d3fd1765f727fd5 Mon Sep 17 00:00:00 2001 From: Alexander Ebert Date: Sat, 22 Jun 2024 14:43:04 +0200 Subject: [PATCH] Verify the HTTPS support within the system check --- .../files/acp/templates/systemCheck.tpl | 27 ++++++++++++++++++ .../lib/acp/page/SystemCheckPage.class.php | 16 +++++++++++ .../lib/system/request/RouteHandler.class.php | 28 +++++++++++++++++++ wcfsetup/install/lang/de.xml | 3 ++ wcfsetup/install/lang/en.xml | 3 ++ 5 files changed, 77 insertions(+) diff --git a/wcfsetup/install/files/acp/templates/systemCheck.tpl b/wcfsetup/install/files/acp/templates/systemCheck.tpl index 4d7e9bae99..eaab63407c 100644 --- a/wcfsetup/install/files/acp/templates/systemCheck.tpl +++ b/wcfsetup/install/files/acp/templates/systemCheck.tpl @@ -13,6 +13,17 @@

{lang}wcf.acp.systemCheck.result{/lang}

+ +
{lang}wcf.acp.systemCheck.web{/lang}
+
+ {if $results[status][web]} + {@$statusOk} {lang}wcf.acp.systemCheck.pass{/lang} + {else} + {@$statusInsufficient} {lang}wcf.acp.systemCheck.insufficient{/lang} + {/if} +
+ +
{lang}wcf.acp.systemCheck.php{/lang}
@@ -51,6 +62,22 @@
+
+

{lang}wcf.acp.systemCheck.web{/lang}

+ + +
{lang}wcf.acp.systemCheck.web.https{/lang}
+
+ {if $results[web][https]} + {@$statusOk} {lang}wcf.acp.systemCheck.pass{/lang} + {else} + {@$statusInsufficient} {lang}wcf.acp.systemCheck.notSupported{/lang} + {/if} + {lang}wcf.acp.systemCheck.web.https.description{/lang} +
+ +
+

{lang}wcf.acp.systemCheck.php{/lang}

diff --git a/wcfsetup/install/files/lib/acp/page/SystemCheckPage.class.php b/wcfsetup/install/files/lib/acp/page/SystemCheckPage.class.php index 19278c61bd..450f2b8e0e 100644 --- a/wcfsetup/install/files/lib/acp/page/SystemCheckPage.class.php +++ b/wcfsetup/install/files/lib/acp/page/SystemCheckPage.class.php @@ -8,6 +8,7 @@ use wcf\system\database\util\PreparedStatementConditionBuilder; use wcf\system\Environment; use wcf\system\exception\SystemException; use wcf\system\registry\RegistryHandler; +use wcf\system\request\RouteHandler; use wcf\system\WCF; use wcf\util\FileUtil; @@ -150,10 +151,14 @@ class SystemCheckPage extends AbstractPage ], 'x64' => false, ], + 'web' => [ + 'https' => false, + ], 'status' => [ 'directories' => false, 'mysql' => false, 'php' => false, + 'web' => false, ], ]; @@ -184,6 +189,7 @@ class SystemCheckPage extends AbstractPage $this->validatePhpVersion(); $this->validatePhpGdSupport(); $this->validateWritableDirectories(); + $this->validateWebHttps(); if ( $this->results['status']['mysql'] @@ -449,4 +455,14 @@ class SystemCheckPage extends AbstractPage return true; } + + /** + * @since 6.1 + */ + protected function validateWebHttps(): void + { + $this->results['web']['https'] = RouteHandler::secureContext(); + + $this->results['status']['web'] = $this->results['web']['https']; + } } diff --git a/wcfsetup/install/files/lib/system/request/RouteHandler.class.php b/wcfsetup/install/files/lib/system/request/RouteHandler.class.php index f4ba8ce197..adb6c970f3 100644 --- a/wcfsetup/install/files/lib/system/request/RouteHandler.class.php +++ b/wcfsetup/install/files/lib/system/request/RouteHandler.class.php @@ -263,6 +263,34 @@ final class RouteHandler extends SingletonFactory return self::$secure; } + /** + * Returns true if the current environment is treated as a secure context by + * browsers. + * + * @see https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure + * @since 6.1 + */ + public static function secureContext(): bool + { + static $secureContext = null; + if ($secureContext === null) { + $secureContext = self::secureConnection(); + + // The connection is considered as secure if it is encrypted with + // TLS, or if the target host is a local address. + if (!$secureContext) { + $host = $_SERVER['HTTP_HOST']; + + // @see https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-let-localhost-be-localhost-02 + if ($host === '127.0.0.1' || $host === 'localhost' || \str_ends_with($host, '.localhost')) { + $secureContext = true; + } + } + } + + return $secureContext; + } + /** * Returns HTTP protocol, either 'http://' or 'https://'. */ diff --git a/wcfsetup/install/lang/de.xml b/wcfsetup/install/lang/de.xml index 14e58e9993..c32ac3c706 100644 --- a/wcfsetup/install/lang/de.xml +++ b/wcfsetup/install/lang/de.xml @@ -2815,6 +2815,9 @@ Abschnitte dürfen nicht leer sein und nur folgende Zeichen enthalten: [a-z opcache_reset() und opcache_invalidate() zur Verfügung stehen, damit der Cache nach einer Aktualisierung des Programmcodes zuverlässig neu aufgebaut werden kann.]]> + + + diff --git a/wcfsetup/install/lang/en.xml b/wcfsetup/install/lang/en.xml index 1e3c827129..220bf41552 100644 --- a/wcfsetup/install/lang/en.xml +++ b/wcfsetup/install/lang/en.xml @@ -2744,6 +2744,9 @@ If you have already bought the licenses for the listed apps, th opcache_reset() and opcache_invalidate() need to be available to be able to reliably reset the cache when the application code is updated.]]> + + + -- 2.20.1