Make is_ssl and baseurl use proper proxy checks

This should not only address dokuwiki#4455 but also ensures that the related
headers are only used when they come from a trusted reverse proxy chain.

Author: splitbrain

inc/Ip.php

@@ -1,7 +1,7 @@
 <?php
 
 /**
- * DokuWiki IP address functions.
+ * DokuWiki IP address and reverse proxy functions.
  *
  * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
  * @author     Zebra North <[email protected]>
@@ -280,4 +280,51 @@ public static function clientIps(): array
 
         return $ips;
     }
+
+    /**
+     * Get the host name of the server.
+     *
+     * The host name is sourced from, in order of preference:
+     *
+     *   - The X-Forwarded-Host header if it exists and the proxies are trusted.
+     *   - The HTTP_HOST header.
+     *   - The SERVER_NAME header.
+     *   - The system's host name.
+     *
+     * @return string Returns the host name of the server.
+     */
+    public static function hostName(): string
+    {
+        /* @var Input $INPUT */
+        global $INPUT;
+
+        if ($INPUT->server->str('HTTP_X_FORWARDED_HOST') && self::forwardedFor() !== []) {
+            return $INPUT->server->str('HTTP_X_FORWARDED_HOST');
+        } elseif ($INPUT->server->str('HTTP_HOST')) {
+            return $INPUT->server->str('HTTP_HOST');
+        } elseif ($INPUT->server->str('SERVER_NAME')) {
+            return $INPUT->server->str('SERVER_NAME');
+        } else {
+            return php_uname('n');
+        }
+    }
+
+    /**
+     * Is the connection using the HTTPS protocol?
+     *
+     * Will use the X-Forwarded-Proto header if it exists and the proxies are trusted, otherwise
+     * the HTTPS environment is used.
+     *
+     * @return bool
+     */
+    public static function isSsl(): bool
+    {
+        /* @var Input $INPUT */
+        global $INPUT;
+
+        if ($INPUT->server->has('HTTP_X_FORWARDED_PROTO') && self::forwardedFor() !== []) {
+            return $INPUT->server->str('HTTP_X_FORWARDED_PROTO') === 'https';
+        }
+        return preg_match('/^(|off|false|disabled)$/i', $INPUT->server->str('HTTPS', 'off'));
+    }
 }

inc/auth.php

@@ -535,7 +535,7 @@ function auth_logoff($keepbc = false)
     setcookie(DOKU_COOKIE, '', [
         'expires' => time() - 600000,
         'path' => $cookieDir,
-        'secure' => ($conf['securecookie'] && is_ssl()),
+        'secure' => ($conf['securecookie'] && \dokuwiki\Ip::isSsl()),
         'httponly' => true,
         'samesite' => $conf['samesitecookie'] ?: null, // null means browser default
     ]);
@@ -1401,7 +1401,7 @@ function auth_setCookie($user, $pass, $sticky)
     setcookie(DOKU_COOKIE, $cookie, [
         'expires' => $time,
         'path' => $cookieDir,
-        'secure' => ($conf['securecookie'] && is_ssl()),
+        'secure' => ($conf['securecookie'] && \dokuwiki\Ip::isSsl()),
         'httponly' => true,
         'samesite' => $conf['samesitecookie'] ?: null, // null means browser default
     ]);

inc/common.php

@@ -1957,7 +1957,7 @@ function set_doku_pref($pref, $val)
         setcookie('DOKU_PREFS', $cookieVal, [
             'expires' => time() + 365 * 24 * 3600,
             'path' => $cookieDir,
-            'secure' => ($conf['securecookie'] && is_ssl()),
+            'secure' => ($conf['securecookie'] && Ip::isSsl()),
             'samesite' => 'Lax'
         ]);
     }

inc/init.php

@@ -263,7 +263,7 @@ function init_session()
         'lifetime' => DOKU_SESSION_LIFETIME,
         'path' => DOKU_SESSION_PATH,
         'domain' => DOKU_SESSION_DOMAIN,
-        'secure' => ($conf['securecookie'] && is_ssl()),
+        'secure' => ($conf['securecookie'] && \dokuwiki\Ip::isSsl()),
         'httponly' => true,
         'samesite' => 'Lax',
     ]);
@@ -497,28 +497,12 @@ function getBaseURL($abs = null)
     if (!empty($conf['baseurl'])) return rtrim($conf['baseurl'], '/') . $dir;
 
     //split hostheader into host and port
-    if (isset($_SERVER['HTTP_HOST'])) {
-        if (
-            (!empty($conf['trustedproxy'])) && isset($_SERVER['HTTP_X_FORWARDED_HOST'])
-             && preg_match('/' . $conf['trustedproxy'] . '/', $_SERVER['REMOTE_ADDR'])
-        ) {
-            $cur_host = $_SERVER['HTTP_X_FORWARDED_HOST'];
-        } else {
-            $cur_host = $_SERVER['HTTP_HOST'];
-        }
-        $parsed_host = parse_url('http://' . $cur_host);
-        $host = $parsed_host['host'] ?? '';
-        $port = $parsed_host['port'] ?? '';
-    } elseif (isset($_SERVER['SERVER_NAME'])) {
-        $parsed_host = parse_url('http://' . $_SERVER['SERVER_NAME']);
-        $host = $parsed_host['host'] ?? '';
-        $port = $parsed_host['port'] ?? '';
-    } else {
-        $host = php_uname('n');
-        $port = '';
-    }
+    $hostname = \dokuwiki\Ip::hostName();
+    $parsed_host = parse_url('http://' . $hostname);
+    $host = $parsed_host['host'] ?? '';
+    $port = $parsed_host['port'] ?? '';
 
-    if (!is_ssl()) {
+    if (!\dokuwiki\Ip::isSsl()) {
         $proto = 'http://';
         if ($port == '80') {
             $port = '';
@@ -536,31 +520,12 @@ function getBaseURL($abs = null)
 }
 
 /**
- * Check if accessed via HTTPS
- *
- * Apache leaves ,$_SERVER['HTTPS'] empty when not available, IIS sets it to 'off'.
- * 'false' and 'disabled' are just guessing
- *
- * @returns bool true when SSL is active
+ * @deprecated 2025-06-03
  */
 function is_ssl()
 {
-    global $conf;
-
-    // check if we are behind a reverse proxy
-    if (
-        (!empty($conf['trustedproxy'])) && isset($_SERVER['HTTP_X_FORWARDED_PROTO'])
-         && preg_match('/' . $conf['trustedproxy'] . '/', $_SERVER['REMOTE_ADDR'])
-         && ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
-    ) {
-        return true;
-    }
-
-    if (preg_match('/^(|off|false|disabled)$/i', $_SERVER['HTTPS'] ?? 'off')) {
-        return false;
-    }
-
-    return true;
+    dbg_deprecated('Ip::isSsl()');
+    return \dokuwiki\Ip::isSsl();
 }
 
 /**

lib/exe/js.php

@@ -103,7 +103,7 @@ function js_out()
     echo "var DOKU_TPL    = '" . tpl_basedir($tpl) . "';";
     echo "var DOKU_COOKIE_PARAM = " . json_encode([
             'path' => empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir'],
-            'secure' => $conf['securecookie'] && is_ssl()
+            'secure' => $conf['securecookie'] && \dokuwiki\Ip::isSsl(),
         ], JSON_THROW_ON_ERROR) . ";";
     // FIXME: Move those to JSINFO
     echo "Object.defineProperty(window, 'DOKU_UHN', { get: function() {" .