From 3e6b8905955991063a898714b60c3e8d64f31484 Mon Sep 17 00:00:00 2001 From: Tim Otten Date: Sat, 11 Apr 2015 15:58:58 -0700 Subject: [PATCH] CRM-16173 - extern/cxn.php - Respect the "Force SSL" option --- CRM/Cxn/BAO/Cxn.php | 8 ++++++++ CRM/Utils/System.php | 1 + extern/cxn.php | 10 +++++++++- 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/CRM/Cxn/BAO/Cxn.php b/CRM/Cxn/BAO/Cxn.php index 8d9e90c7b9..d65b42c3a0 100644 --- a/CRM/Cxn/BAO/Cxn.php +++ b/CRM/Cxn/BAO/Cxn.php @@ -48,12 +48,20 @@ class CRM_Cxn_BAO_Cxn extends CRM_Cxn_DAO_Cxn { */ public static function getSiteCallbackUrl() { $config = CRM_Core_Config::singleton(); + if (preg_match('/^(http|https):/', $config->resourceBase)) { $civiUrl = $config->resourceBase; } else { $civiUrl = rtrim(CRM_Utils_System::baseURL(), '/') . '/' . ltrim($config->resourceBase, '/'); } + + // In practice, this may not be necessary, but we want to prevent + // edge-cases that downgrade security-level below system policy. + if (CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'enableSSL')) { + $civiUrl = preg_replace('/^http:/', 'https:', $civiUrl); + } + return rtrim($civiUrl, '/') . '/extern/cxn.php'; } diff --git a/CRM/Utils/System.php b/CRM/Utils/System.php index 2c64ef560b..8272c125e2 100644 --- a/CRM/Utils/System.php +++ b/CRM/Utils/System.php @@ -1157,6 +1157,7 @@ class CRM_Utils_System { public static function redirectToSSL($abort = FALSE) { $config = CRM_Core_Config::singleton(); $req_headers = self::getRequestHeaders(); + // FIXME: Shouldn't the X-Forwarded-Proto check be part of CRM_Utils_System::isSSL()? if (CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'enableSSL') && !self::isSSL() && strtolower(CRM_Utils_Array::value('X_FORWARDED_PROTO', $req_headers)) != 'https' diff --git a/extern/cxn.php b/extern/cxn.php index 407bc32ec1..543e385e3a 100644 --- a/extern/cxn.php +++ b/extern/cxn.php @@ -37,6 +37,14 @@ $apiServer->setRouter(function ($cxn, $entity, $action, $params) { require_once 'api/v3/utils.php'; + // FIXME: Shouldn't the X-Forwarded-Proto check be part of CRM_Utils_System::isSSL()? + if (CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'enableSSL') && + !CRM_Utils_System::isSSL() && + strtolower(CRM_Utils_Array::value('X_FORWARDED_PROTO', CRM_Utils_System::getRequestHeaders())) != 'https' + ) { + return civicrm_api3_create_error('System policy requires HTTPS.'); + } + // Note: $cxn and cxnId are authenticated before router is called. $dao = new CRM_Cxn_DAO_Cxn(); $dao->cxn_id = $cxn['cxnId']; @@ -44,7 +52,7 @@ $apiServer->setRouter(function ($cxn, $entity, $action, $params) { return civicrm_api3_create_error('Failed to lookup connection authorizations.'); } if (!$dao->is_active) { - return civicrm_api3_create_error('Connection is inactive'); + return civicrm_api3_create_error('Connection is inactive.'); } if (!is_string($entity) || !is_string($action) || !is_array($params)) { return civicrm_api3_create_error('API parameters are malformed.'); -- 2.25.1