From 90ce3d03835ce5d84d715f3dca5ef4d6b6223983 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Tim=20D=C3=BCsterhus?= Date: Wed, 11 May 2022 16:11:35 +0200 Subject: [PATCH] Enforce the https scheme in PackageUpdateServer --- .../server/PackageUpdateServer.class.php | 46 ++++++------------- .../package/PackageUpdateDispatcher.class.php | 5 -- 2 files changed, 15 insertions(+), 36 deletions(-) diff --git a/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php b/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php index 5bb6a1b8d3..a74b2349b2 100644 --- a/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php +++ b/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php @@ -2,9 +2,9 @@ namespace wcf\data\package\update\server; +use Laminas\Diactoros\Uri; use wcf\data\DatabaseObject; use wcf\system\cache\builder\PackageUpdateCacheBuilder; -use wcf\system\io\RemoteFile; use wcf\system\Regex; use wcf\system\registry\RegistryHandler; use wcf\system\WCF; @@ -244,23 +244,21 @@ class PackageUpdateServer extends DatabaseObject /** * Returns the list endpoint for package servers. * - * @param bool $forceHTTP * @return string */ - public function getListURL($forceHTTP = false) + public function getListURL() { - if ($this->apiVersion == '2.0') { - return $this->serverURL; - } + $url = new Uri($this->serverURL); - $serverURL = FileUtil::addTrailingSlash($this->serverURL) . 'list/' . WCF::getLanguage()->getFixedLanguageCode() . '.xml'; + if ($url->getHost() !== 'localhost') { + $url = $url->withScheme('https'); + } - $metaData = $this->getMetaData(); - if ($forceHTTP || !RemoteFile::supportsSSL() || !$metaData['ssl']) { - return \preg_replace('~^https://~', 'http://', $serverURL); + if ($this->apiVersion == '2.0') { + return (string)$url; } - return \preg_replace('~^http://~', 'https://', $serverURL); + return FileUtil::addTrailingSlash((string)$url) . 'list/' . WCF::getLanguage()->getFixedLanguageCode() . '.xml'; } /** @@ -270,16 +268,13 @@ class PackageUpdateServer extends DatabaseObject */ public function getDownloadURL() { - if ($this->apiVersion == '2.0') { - return $this->serverURL; - } + $url = new Uri($this->serverURL); - $metaData = $this->getMetaData(); - if (!RemoteFile::supportsSSL() || !$metaData['ssl']) { - return \preg_replace('~^https://~', 'http://', $this->serverURL); + if ($url->getHost() !== 'localhost') { + $url = $url->withScheme('https'); } - return \preg_replace('~^http://~', 'https://', $this->serverURL); + return (string)$url; } /** @@ -293,22 +288,11 @@ class PackageUpdateServer extends DatabaseObject } /** - * Returns true if a request to this server would make use of a secure connection. - * - * @return bool + * @deprecated 5.6 This method always returns true. Package servers must use TLS. */ public function attemptSecureConnection() { - if ($this->apiVersion == '2.0') { - return false; - } - - $metaData = $this->getMetaData(); - if (RemoteFile::supportsSSL() && $metaData['ssl']) { - return true; - } - - return false; + return true; } /** diff --git a/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php b/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php index ed32ce6af8..dfdf9ce959 100644 --- a/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php +++ b/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php @@ -152,11 +152,6 @@ class PackageUpdateDispatcher extends SingletonFactory $settings['auth'] = $authData; } - $secureConnection = $updateServer->attemptSecureConnection(); - if ($secureConnection) { - $settings['timeout'] = 5; - } - $request = new HTTPRequest($updateServer->getListURL(), $settings); $requestedVersion = \wcf\getMinorVersion(); -- 2.20.1