Commit 2784f488 authored by alexpott's avatar alexpott

Issue #1960344 by ParisLiakos, kid_icarus: Replace $is_https() global with Request::isSecure().

parent 620d4979
......@@ -15,7 +15,7 @@
* @ingroup forms
*/
function authorize_filetransfer_form($form, &$form_state) {
global $base_url, $is_https;
global $base_url;
$form = array();
// If possible, we want to post this form securely via HTTPS.
......@@ -28,7 +28,7 @@ function authorize_filetransfer_form($form, &$form_state) {
}
$available_backends = $_SESSION['authorize_filetransfer_info'];
if (!$is_https) {
if (!Drupal::request()->isSecure()) {
$form['information']['https_warning'] = array(
'#prefix' => '<div class="messages error">',
'#markup' => t('WARNING: You are not using an encrypted connection, so your password will be sent in plain text. <a href="@https-link">Learn more</a>.', array('@https-link' => 'http://drupal.org/https-information')),
......
......@@ -733,7 +733,7 @@ function drupal_settings_initialize() {
global $base_url, $base_path, $base_root, $script_path;
// Export these settings.php variables to the global namespace.
global $databases, $cookie_domain, $conf, $db_prefix, $drupal_hash_salt, $is_https, $base_secure_url, $base_insecure_url, $config_directories;
global $databases, $cookie_domain, $conf, $db_prefix, $drupal_hash_salt, $base_secure_url, $base_insecure_url, $config_directories;
$conf = array();
// Make conf_path() available as local variable in settings.php.
......
......@@ -68,7 +68,7 @@ function _drupal_session_close() {
* The user's session, or an empty string if no session exists.
*/
function _drupal_session_read($sid) {
global $user, $is_https;
global $user;
// Write and Close handlers are called after destructing objects
// since PHP 5.0.5.
......@@ -88,7 +88,7 @@ function _drupal_session_read($sid) {
// client's session in the database. If it's HTTPS then we are either have
// a HTTPS session or we are about to log in so we check the sessions table
// for an anonymous session with the non-HTTPS-only cookie.
if ($is_https) {
if (Drupal::request()->isSecure()) {
$user = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.ssid = :ssid", array(':ssid' => $sid))->fetchObject();
if (!$user) {
if (isset($_COOKIE[$insecure_session_name])) {
......@@ -153,7 +153,7 @@ function _drupal_session_read($sid) {
* Always returns TRUE.
*/
function _drupal_session_write($sid, $value) {
global $user, $is_https;
global $user;
// The exception handler is not active at this point, so we need to do it
// manually.
......@@ -183,7 +183,7 @@ function _drupal_session_write($sid, $value) {
// default.
$key = array('sid' => $sid, 'ssid' => '');
// On HTTPS connections, use the session ID as both 'sid' and 'ssid'.
if ($is_https) {
if (Drupal::request()->isSecure()) {
$key['ssid'] = $sid;
// The "secure pages" setting allows a site to simultaneously use both
// secure and insecure session cookies. If enabled and both cookies are
......@@ -233,10 +233,11 @@ function _drupal_session_write($sid, $value) {
* Initializes the session handler, starting a session if needed.
*/
function drupal_session_initialize() {
global $user, $is_https;
global $user;
session_set_save_handler('_drupal_session_open', '_drupal_session_close', '_drupal_session_read', '_drupal_session_write', '_drupal_session_destroy', '_drupal_session_garbage_collection');
$is_https = Drupal::request()->isSecure();
// We use !empty() in the following check to ensure that blank session IDs
// are not valid.
if (!empty($_COOKIE[session_name()]) || ($is_https && settings()->get('mixed_mode_sessions', FALSE) && !empty($_COOKIE[substr(session_name(), 1)]))) {
......@@ -296,7 +297,7 @@ function drupal_session_start() {
* If an anonymous user already have an empty session, destroy it.
*/
function drupal_session_commit() {
global $user, $is_https;
global $user;
if (!drupal_save_session()) {
// We don't have anything to do if we are not allowed to save the session.
......@@ -315,7 +316,7 @@ function drupal_session_commit() {
// started.
if (!drupal_session_started()) {
drupal_session_start();
if ($is_https && settings()->get('mixed_mode_sessions', FALSE)) {
if (Drupal::request()->isSecure() && settings()->get('mixed_mode_sessions', FALSE)) {
$insecure_session_name = substr(session_name(), 1);
$params = session_get_cookie_params();
$expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
......@@ -344,13 +345,15 @@ function drupal_session_started($set = NULL) {
* @ingroup php_wrappers
*/
function drupal_session_regenerate() {
global $user, $is_https;
global $user;
// Nothing to do if we are not allowed to change the session.
if (!drupal_save_session()) {
return;
}
$is_https = Drupal::request()->isSecure();
if ($is_https && settings()->get('mixed_mode_sessions', FALSE)) {
$insecure_session_name = substr(session_name(), 1);
if (!isset($GLOBALS['lazy_session']) && isset($_COOKIE[$insecure_session_name])) {
......@@ -418,13 +421,14 @@ function drupal_session_regenerate() {
* Session ID.
*/
function _drupal_session_destroy($sid) {
global $user, $is_https;
global $user;
// Nothing to do if we are not allowed to change the session.
if (!drupal_save_session()) {
return;
}
$is_https = Drupal::request()->isSecure();
// Delete session data.
db_delete('sessions')
->condition($is_https ? 'ssid' : 'sid', $sid)
......@@ -454,8 +458,7 @@ function _drupal_session_destroy($sid) {
* Force the secure value of the cookie.
*/
function _drupal_session_delete_cookie($name, $secure = NULL) {
global $is_https;
if (isset($_COOKIE[$name]) || (!$is_https && $secure === TRUE)) {
if (isset($_COOKIE[$name]) || (!Drupal::request()->isSecure() && $secure === TRUE)) {
$params = session_get_cookie_params();
if ($secure !== NULL) {
$params['secure'] = $secure;
......
......@@ -453,8 +453,6 @@ function language_url_rewrite_url(&$path, &$options) {
case LANGUAGE_NEGOTIATION_URL_DOMAIN:
$domains = language_negotiation_url_domains();
if (is_object($options['language']) && !empty($domains[$options['language']->langcode])) {
global $is_https;
// Save the original base URL. If it contains a port, we need to
// retain it below.
if (!empty($options['base_url'])) {
......@@ -464,7 +462,7 @@ function language_url_rewrite_url(&$path, &$options) {
}
// Ask for an absolute URL with our modified base URL.
$url_scheme = ($is_https) ? 'https://' : 'http://';
$url_scheme = Drupal::request()->isSecure() ? 'https://' : 'http://';
$options['absolute'] = TRUE;
$options['base_url'] = $url_scheme . $domains[$options['language']->langcode];
......
......@@ -9,6 +9,7 @@
use Drupal\simpletest\WebTestBase;
use Drupal\Core\Language\Language;
use Symfony\Component\HttpFoundation\Request;
/**
* Test UI language negotiation
......@@ -60,6 +61,9 @@ public static function getInfo() {
function setUp() {
parent::setUp();
$this->request = Request::create('http://example.com/');
$this->container->set('request', $this->request);
require_once DRUPAL_ROOT . '/core/includes/language.inc';
$admin_user = $this->drupalCreateUser(array('administer languages', 'translate interface', 'access administration pages', 'administer blocks'));
$this->drupalLogin($admin_user);
......@@ -452,12 +456,11 @@ function testLanguageDomain() {
// Build the link we're going to test.
$link = 'it.example.com/admin';
global $is_https;
// Test URL in another language: http://it.example.com/admin.
// Base path gives problems on the testbot, so $correct_link is hard-coded.
// @see UrlAlterFunctionalTest::assertUrlOutboundAlter (path.test).
$italian_url = url('admin', array('language' => $languages['it'], 'script' => ''));
$url_scheme = ($is_https) ? 'https://' : 'http://';
$url_scheme = $this->request->isSecure() ? 'https://' : 'http://';
$correct_link = $url_scheme . $link;
$this->assertTrue($italian_url == $correct_link, format_string('The url() function returns the right URL (@url) in accordance with the chosen language', array('@url' => $italian_url)));
......@@ -469,11 +472,11 @@ function testLanguageDomain() {
$this->settingsSet('mixed_mode_sessions', FALSE);
// Test HTTPS via current URL scheme.
$temp_https = $is_https;
$is_https = TRUE;
$temp_https = $this->request->server->get('HTTPS');
$this->request->server->set('HTTPS', 'on');
$italian_url = url('admin', array('language' => $languages['it'], 'script' => ''));
$correct_link = 'https://' . $link;
$this->assertTrue($italian_url == $correct_link, format_string('The url() function returns the right URL (via current URL scheme) (@url) in accordance with the chosen language', array('@url' => $italian_url)));
$is_https = $temp_https;
$this->request->server->set('HTTPS', $temp_https);
}
}
......@@ -8,6 +8,7 @@
namespace Drupal\system\Tests\Session;
use Drupal\simpletest\WebTestBase;
use Symfony\Component\HttpFoundation\Request;
/**
* Ensure that when running under HTTPS two session cookies are generated.
......@@ -29,10 +30,14 @@ public static function getInfo() {
);
}
protected function testHttpsSession() {
global $is_https;
public function setUp() {
parent::setUp();
$this->request = Request::create('http://example.com/');
$this->container->set('request', $this->request);
}
if ($is_https) {
protected function testHttpsSession() {
if ($this->request->isSecure()) {
$secure_session_name = session_name();
$insecure_session_name = substr(session_name(), 1);
}
......@@ -107,7 +112,7 @@ protected function testHttpsSession() {
// Clear browser cookie jar.
$this->cookies = array();
if ($is_https) {
if ($this->request->isSecure()) {
// The functionality does not make sense when running on HTTPS.
return;
}
......@@ -241,6 +246,7 @@ protected function assertSessionIds($sid, $ssid, $assertion_text) {
*/
protected function httpsUrl($url) {
global $base_url;
$this->request->server->set('HTTPS', 'on');
return $base_url . '/core/modules/system/tests/https.php/' . $url;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment