check if client-presented URL scheme is different from one configured in SELF_URL_PATH

This commit is contained in:
Andrew Dolgov 2021-02-26 14:14:44 +03:00
parent 4896874bda
commit e6a875b7e4
3 changed files with 30 additions and 8 deletions

View File

@ -5,8 +5,9 @@ class Errors {
const E_UNKNOWN_METHOD = "E_UNKNOWN_METHOD"; const E_UNKNOWN_METHOD = "E_UNKNOWN_METHOD";
const E_UNKNOWN_PLUGIN = "E_UNKNOWN_PLUGIN"; const E_UNKNOWN_PLUGIN = "E_UNKNOWN_PLUGIN";
const E_SCHEMA_MISMATCH = "E_SCHEMA_MISMATCH"; const E_SCHEMA_MISMATCH = "E_SCHEMA_MISMATCH";
const E_URL_SCHEME_MISMATCH = "E_URL_SCHEME_MISMATCH";
static function to_json(string $code) { static function to_json(string $code, array $params = []) {
return json_encode(["error" => ["code" => $code]]); return json_encode(["error" => ["code" => $code, "params" => $params]]);
} }
} }

View File

@ -168,10 +168,21 @@ class RPC extends Handler_Protected {
$_SESSION["hasSandbox"] = clean($_REQUEST["hasSandbox"]) === "true"; $_SESSION["hasSandbox"] = clean($_REQUEST["hasSandbox"]) === "true";
$_SESSION["clientTzOffset"] = clean($_REQUEST["clientTzOffset"]); $_SESSION["clientTzOffset"] = clean($_REQUEST["clientTzOffset"]);
$client_location = $_REQUEST["clientLocation"];
$error = Errors::E_SUCCESS; $error = Errors::E_SUCCESS;
$error_params = [];
$client_scheme = parse_url($client_location, PHP_URL_SCHEME);
$server_scheme = parse_url(get_self_url_prefix(), PHP_URL_SCHEME);
if (get_schema_version() != SCHEMA_VERSION) { if (get_schema_version() != SCHEMA_VERSION) {
$error = Errors::E_SCHEMA_MISMATCH; $error = Errors::E_SCHEMA_MISMATCH;
} else if ($client_scheme != $server_scheme) {
$error = Errors::E_URL_SCHEME_MISMATCH;
$error_params["client_scheme"] = $client_scheme;
$error_params["server_scheme"] = $server_scheme;
$error_params["self_url_path"] = get_self_url_prefix();
} }
if ($error == Errors::E_SUCCESS) { if ($error == Errors::E_SUCCESS) {
@ -183,7 +194,7 @@ class RPC extends Handler_Protected {
print json_encode($reply); print json_encode($reply);
} else { } else {
print Errors::to_json($error); print Errors::to_json($error, $error_params);
} }
} }

View File

@ -418,7 +418,7 @@ const App = {
if (error && error.code && error.code != App.Error.E_SUCCESS) { if (error && error.code && error.code != App.Error.E_SUCCESS) {
console.warn("handleRpcJson: fatal error", error); console.warn("handleRpcJson: fatal error", error);
this.Error.fatal(error.code); this.Error.fatal(error.code, error.params);
return false; return false;
} }
@ -547,6 +547,7 @@ const App = {
E_SUCCESS: "E_SUCCESS", E_SUCCESS: "E_SUCCESS",
E_UNAUTHORIZED: "E_UNAUTHORIZED", E_UNAUTHORIZED: "E_UNAUTHORIZED",
E_SCHEMA_MISMATCH: "E_SCHEMA_MISMATCH", E_SCHEMA_MISMATCH: "E_SCHEMA_MISMATCH",
E_URL_SCHEME_MISMATCH: "E_URL_SCHEME_MISMATCH",
fatal: function (error, params = {}) { fatal: function (error, params = {}) {
if (error == App.Error.E_UNAUTHORIZED) { if (error == App.Error.E_UNAUTHORIZED) {
window.location.href = "index.php"; window.location.href = "index.php";
@ -554,9 +555,14 @@ const App = {
} else if (error == App.Error.E_SCHEMA_MISMATCH) { } else if (error == App.Error.E_SCHEMA_MISMATCH) {
window.location.href = "public.php?op=dbupdate"; window.location.href = "public.php?op=dbupdate";
return; return;
} else if (error == App.Error.E_URL_SCHEME_MISMATCH) {
params.description = __("URL scheme reported by your browser (%a) doesn't match server-configured SELF_URL_PATH (%b), check X-Forwarded-Proto.")
.replace("%a", params.client_scheme)
.replace("%b", params.server_scheme);
params.info = `SELF_URL_PATH: ${params.self_url_path}\nCLIENT_LOCATION: ${document.location.href}`
} }
return this.report(__("Fatal error: %s").replace("%s", error), return this.report(error,
{...{title: __("Fatal error")}, ...params}); {...{title: __("Fatal error")}, ...params});
}, },
report: function(error, params = {}) { report: function(error, params = {}) {
@ -587,10 +593,13 @@ const App = {
<div class='exception-contents'> <div class='exception-contents'>
<h3>${message}</h3> <h3>${message}</h3>
<header>${__('Stack trace')}</header> ${params.description ? `<p>${params.description}</p>` : ''}
${error.stack ?
`<header>${__('Stack trace')}</header>
<section> <section>
<textarea readonly='readonly'>${error.stack}</textarea> <textarea readonly='readonly'>${error.stack}</textarea>
</section> </section>` : ''}
${params && params.info ? ${params && params.info ?
` `
@ -650,7 +659,8 @@ const App = {
op: "rpc", op: "rpc",
method: "sanityCheck", method: "sanityCheck",
clientTzOffset: new Date().getTimezoneOffset() * 60, clientTzOffset: new Date().getTimezoneOffset() * 60,
hasSandbox: "sandbox" in document.createElement("iframe") hasSandbox: "sandbox" in document.createElement("iframe"),
clientLocation: window.location.href
}; };
xhr.json("backend.php", params, (reply) => { xhr.json("backend.php", params, (reply) => {