diff --git a/core/lib/Drupal/Core/DrupalKernel.php b/core/lib/Drupal/Core/DrupalKernel.php index 2c58ccc..ad3b7d7 100644 --- a/core/lib/Drupal/Core/DrupalKernel.php +++ b/core/lib/Drupal/Core/DrupalKernel.php @@ -810,7 +810,6 @@ protected function initializeRequestGlobals(Request $request) { global $base_url; // Set and derived from $base_url by this function. global $base_path, $base_root, $script_path; - global $base_secure_url, $base_insecure_url; // @todo Refactor with the Symfony Request object. if (isset($base_url)) { @@ -848,8 +847,6 @@ protected function initializeRequestGlobals(Request $request) { $base_path = '/'; } } - $base_secure_url = str_replace('http://', 'https://', $base_url); - $base_insecure_url = str_replace('https://', 'http://', $base_url); // Determine the path of the script relative to the base path, and add a // trailing slash. This is needed for creating URLs to Drupal pages. diff --git a/core/modules/system/src/Tests/Session/SessionHttpsTest.php b/core/modules/system/src/Tests/Session/SessionHttpsTest.php index 06e0e19..b547e44 100644 --- a/core/modules/system/src/Tests/Session/SessionHttpsTest.php +++ b/core/modules/system/src/Tests/Session/SessionHttpsTest.php @@ -11,6 +11,7 @@ use Symfony\Component\HttpFoundation\Request; use Drupal\Component\Utility\Crypt; use Drupal\Component\Utility\String; +use Drupal\Core\Session\AccountInterface; /** * Ensure that when running under HTTPS two session cookies are generated. @@ -20,6 +21,20 @@ class SessionHttpsTest extends WebTestBase { /** + * The name of the session cookie when using HTTP. + * + * @var string + */ + protected $insecureSessionName; + + /** + * The name of the session cookie when using HTTPS. + * + * @var string + */ + protected $secureSessionName; + + /** * Modules to enable. * * @var array @@ -28,81 +43,68 @@ class SessionHttpsTest extends WebTestBase { protected function setUp() { parent::setUp(); - $this->request = Request::createFromGlobals(); - $this->container->get('request_stack')->push($this->request); - } - protected function testHttpsSession() { - if ($this->request->isSecure()) { - $secure_session_name = $this->getSessionName(); - $insecure_session_name = substr($this->getSessionName(), 1); + $request = Request::createFromGlobals(); + if ($request->isSecure()) { + $this->secureSessionName = $this->getSessionName(); + $this->insecureSessionName = substr($this->getSessionName(), 1); } else { - $secure_session_name = 'S' . $this->getSessionName(); - $insecure_session_name = $this->getSessionName(); + $this->secureSessionName = 'S' . $this->getSessionName(); + $this->insecureSessionName = $this->getSessionName(); } + } + protected function testHttpsSession() { $user = $this->drupalCreateUser(array('access administration pages')); // Test HTTPS session handling by altering the form action to submit the // login form through https.php, which creates a mock HTTPS request. - $this->drupalGet('user/login'); - $form = $this->xpath('//form[@id="user-login-form"]'); - $form[0]['action'] = $this->httpsUrl('user/login'); - $edit = array('name' => $user->getUsername(), 'pass' => $user->pass_raw); - $this->drupalPostForm(NULL, $edit, t('Log in')); + $this->loginHttps($user); // Test a second concurrent session. $this->curlClose(); - $this->drupalGet('user/login'); - $form = $this->xpath('//form[@id="user-login-form"]'); - $form[0]['action'] = $this->httpsUrl('user/login'); - $this->drupalPostForm(NULL, $edit, t('Log in')); + $this->curlCookies = array(); + $this->loginHttps($user); // Check secure cookie on secure page. - $this->assertTrue($this->cookies[$secure_session_name]['secure'], 'The secure cookie has the secure attribute'); + $this->assertTrue($this->cookies[$this->secureSessionName]['secure'], 'The secure cookie has the secure attribute'); // Check insecure cookie is not set. - $this->assertFalse(isset($this->cookies[$insecure_session_name])); - $ssid = $this->cookies[$secure_session_name]['value']; + $this->assertFalse(isset($this->cookies[$this->insecureSessionName])); + $ssid = $this->cookies[$this->secureSessionName]['value']; $this->assertSessionIds($ssid, $ssid, 'Session has a non-empty SID and a correct secure SID.'); - $cookie = $secure_session_name . '=' . $ssid; // Verify that user is logged in on secure URL. - $this->curlClose(); - $this->drupalGet($this->httpsUrl('admin/config'), array(), array('Cookie: ' . $cookie)); + $this->drupalGet($this->httpsUrl('admin/config')); $this->assertText(t('Configuration')); $this->assertResponse(200); // Verify that user is not logged in on non-secure URL. - $this->curlClose(); - $this->drupalGet($this->httpUrl('admin/config'), array(), array('Cookie: ' . $cookie)); + $this->drupalGet($this->httpUrl('admin/config')); $this->assertNoText(t('Configuration')); $this->assertResponse(403); // Verify that empty SID cannot be used on the non-secure site. $this->curlClose(); - $cookie = $insecure_session_name . '='; - $this->drupalGet($this->httpUrl('admin/config'), array(), array('Cookie: ' . $cookie)); + $this->curlCookies = array($this->insecureSessionName . '='); + $this->drupalGet($this->httpUrl('admin/config')); $this->assertResponse(403); // Test HTTP session handling by altering the form action to submit the // login form through http.php, which creates a mock HTTP request on HTTPS // test environments. $this->curlClose(); - $this->drupalGet('user/login'); - $form = $this->xpath('//form[@id="user-login-form"]'); - $form[0]['action'] = $this->httpUrl('user/login'); - $edit = array('name' => $user->getUsername(), 'pass' => $user->pass_raw); - $this->drupalPostForm(NULL, $edit, t('Log in')); + $this->curlCookies = array(); + $this->loginHttp($user); $this->drupalGet($this->httpUrl('admin/config')); $this->assertResponse(200); - $sid = $this->cookies[$insecure_session_name]['value']; + $sid = $this->cookies[$this->insecureSessionName]['value']; $this->assertSessionIds($sid, '', 'Session has the correct SID and an empty secure SID.'); // Verify that empty secure SID cannot be used on the secure site. $this->curlClose(); - $cookie = $secure_session_name . '='; - $this->drupalGet($this->httpsUrl('admin/config'), array(), array('Cookie: ' . $cookie)); + $this->curlCookies = array($this->secureSessionName . '='); + $this->drupalGet($this->httpsUrl('admin/config')); $this->assertResponse(403); // Clear browser cookie jar. @@ -113,15 +115,6 @@ protected function testHttpsSession() { * Tests sessions in SSL mixed mode. */ protected function testMixedModeSslSession() { - if ($this->request->isSecure()) { - // The functionality does not make sense when running on HTTPS. - return; - } - else { - $secure_session_name = 'S' . $this->getSessionName(); - $insecure_session_name = $this->getSessionName(); - } - // Enable secure pages. $this->settingsSet('mixed_mode_sessions', TRUE); // Write that value also into the test settings.php file. @@ -133,62 +126,57 @@ protected function testMixedModeSslSession() { $user = $this->drupalCreateUser(array('access administration pages')); - $this->curlClose(); // Start an anonymous session on the insecure site. $session_data = $this->randomMachineName(); - $this->drupalGet('session-test/set/' . $session_data); + $this->drupalGet($this->httpUrl('session-test/set/') . $session_data); + $this->assertResponse(200); // Check secure cookie on insecure page. - $this->assertFalse(isset($this->cookies[$secure_session_name]), 'The secure cookie is not sent on insecure pages.'); + $this->assertFalse(isset($this->cookies[$this->secureSessionName]), 'The secure cookie is not sent on insecure pages.'); // Check insecure cookie on insecure page. - $this->assertFalse($this->cookies[$insecure_session_name]['secure'], 'The insecure cookie does not have the secure attribute'); + $this->assertFalse($this->cookies[$this->insecureSessionName]['secure'], 'The insecure cookie does not have the secure attribute'); // Store the anonymous cookie so we can validate that its session is killed // after login. - $anonymous_cookie = $insecure_session_name . '=' . $this->cookies[$insecure_session_name]['value']; + $anonymous_cookie = $this->insecureSessionName . '=' . $this->cookies[$this->insecureSessionName]['value']; // Check that password request form action is not secure. $this->drupalGet('user/password'); + $this->assertResponse(200); $form = $this->xpath('//form[@id="user-pass"]'); $this->assertNotEqual(substr($form[0]['action'], 0, 6), 'https:', 'Password request form action is not secure'); - $form[0]['action'] = $this->httpsUrl('user/login'); // Check that user login form action is secure. $this->drupalGet('user/login'); + $this->assertResponse(200); $form = $this->xpath('//form[@id="user-login-form"]'); $this->assertEqual(substr($form[0]['action'], 0, 6), 'https:', 'Login form action is secure'); - $form[0]['action'] = $this->httpsUrl('user/login'); - $edit = array( - 'name' => $user->getUsername(), - 'pass' => $user->pass_raw, - ); - $this->drupalPostForm(NULL, $edit, t('Log in')); + $this->loginHttps($user); // Check secure cookie on secure page. - $this->assertTrue($this->cookies[$secure_session_name]['secure'], 'The secure cookie has the secure attribute'); + $this->assertTrue($this->cookies[$this->secureSessionName]['secure'], 'The secure cookie has the secure attribute'); // Check insecure cookie on secure page. - $this->assertFalse($this->cookies[$insecure_session_name]['secure'], 'The insecure cookie does not have the secure attribute'); + $this->assertFalse($this->cookies[$this->insecureSessionName]['secure'], 'The insecure cookie does not have the secure attribute'); - $sid = $this->cookies[$insecure_session_name]['value']; - $ssid = $this->cookies[$secure_session_name]['value']; + $sid = $this->cookies[$this->insecureSessionName]['value']; + $ssid = $this->cookies[$this->secureSessionName]['value']; $this->assertSessionIds($sid, $ssid, 'Session has both secure and insecure SIDs'); $cookies = array( - 'http' => $insecure_session_name . '=' . $sid, - 'https' => $secure_session_name . '=' . $ssid, + 'http' => $this->insecureSessionName . '=' . $sid, + 'https' => $this->secureSessionName . '=' . $ssid, ); // Test that session data saved before login is still available on the // authenticated session. $this->drupalGet('session-test/get'); + $this->assertResponse(200); $this->assertText($session_data, 'Session correctly returned the stored data set by the anonymous session.'); foreach ($cookies as $cookie_key => $cookie) { - foreach (array('http' => 'admin/config', 'https' => $this->httpsUrl('admin/config')) as $url_key => $url) { + foreach (array('http' => $this->httpUrl('admin/config'), 'https' => $this->httpsUrl('admin/config')) as $url_key => $url) { $this->curlClose(); - // The HTTPS setting needs to be set correctly on the request for the - // URL generator to work. - $this->request->server->set('HTTPS', $url_key == 'https' ? 'on' : 'off'); + $this->curlCookies = array($cookie); - $this->drupalGet($url, array(), array('Cookie: ' . $cookie)); + $this->drupalGet($url); if ($cookie_key == $url_key) { $this->assertText(t('Configuration')); $this->assertResponse(200); @@ -202,24 +190,31 @@ protected function testMixedModeSslSession() { // Test that session data saved before login is not available using the // pre-login anonymous cookie. - $this->cookies = array(); - $this->drupalGet('session-test/get', array(), array('Cookie: ' . $anonymous_cookie)); + $this->curlClose(); + $this->curlCookies = array( + $this->insecureSessionName . '=' . $this->cookies[$this->insecureSessionName]['value'], + ); + $this->drupalGet('session-test/get'); $this->assertNoText($session_data, 'Initial anonymous session is inactive after login.'); // Clear browser cookie jar. $this->cookies = array(); // Start an anonymous session on the secure site. + $this->curlClose(); + $this->curlCookies = array(); $this->drupalGet($this->httpsUrl('session-test/set/1')); + $this->assertResponse(200); + $this->curlCookies = array( + $this->insecureSessionName . '=' . $this->cookies[$this->insecureSessionName]['value'], + $this->secureSessionName . '=' . $this->cookies[$this->secureSessionName]['value'], + ); // Mock a login to the secure site using the secure session cookie. - $this->drupalGet('user/login'); - $form = $this->xpath('//form[@id="user-login-form"]'); - $form[0]['action'] = $this->httpsUrl('user/login'); - $this->drupalPostForm(NULL, $edit, t('Log in')); + $this->loginHttps($user); // Test that the user is also authenticated on the insecure site. - $this->drupalGet("user/" . $user->id() . "/edit"); + $this->drupalGet($this->httpUrl("user/" . $user->id() . "/edit")); $this->assertResponse(200); } @@ -227,15 +222,6 @@ protected function testMixedModeSslSession() { * Ensure that a CSRF form token is shared in SSL mixed mode. */ protected function testCsrfTokenWithMixedModeSsl() { - if ($this->request->isSecure()) { - $secure_session_name = $this->getSessionName(); - $insecure_session_name = substr($this->getSessionName(), 1); - } - else { - $secure_session_name = 'S' . $this->getSessionName(); - $insecure_session_name = $this->getSessionName(); - } - // Enable mixed mode SSL. $this->settingsSet('mixed_mode_sessions', TRUE); // Write that value also into the test settings.php file. @@ -248,20 +234,16 @@ protected function testCsrfTokenWithMixedModeSsl() { $user = $this->drupalCreateUser(array('access administration pages')); // Login using the HTTPS user-login form. - $this->drupalGet('user/login'); - $form = $this->xpath('//form[@id="user-login-form"]'); - $form[0]['action'] = $this->httpsUrl('user/login'); - $edit = array('name' => $user->getUsername(), 'pass' => $user->pass_raw); - $this->drupalPostForm(NULL, $edit, t('Log in')); + $this->loginHttps($user); // Collect session id cookies. - $sid = $this->cookies[$insecure_session_name]['value']; - $ssid = $this->cookies[$secure_session_name]['value']; + $sid = $this->cookies[$this->insecureSessionName]['value']; + $ssid = $this->cookies[$this->secureSessionName]['value']; $this->assertSessionIds($sid, $ssid, 'Session has both secure and insecure SIDs'); // Retrieve the form via HTTP. - $this->curlClose(); - $this->drupalGet($this->httpUrl('session-test/form'), array(), array('Cookie: ' . $insecure_session_name . '=' . $sid)); + $this->drupalGet($this->httpUrl('session-test/form')); + $this->assertResponse(200); $http_token = $this->getFormToken(); // Verify that submitting form values via HTTPS to a form originally @@ -269,13 +251,28 @@ protected function testCsrfTokenWithMixedModeSsl() { $form = $this->xpath('//form[@id="session-test-form"]'); $form[0]['action'] = $this->httpsUrl('session-test/form'); $edit = array('input' => $this->randomMachineName(32)); - $this->curlClose(); - $this->drupalPostForm(NULL, $edit, 'Save', array('Cookie: ' . $secure_session_name . '=' . $ssid)); + + // When posting directly to the HTTP or HTTPS mock front controller, the + // location header on the returned response is an absolute URL. That URL + // needs to be converted into a request to the respective mock front + // controller in order to retrieve the target page. Because the URL in the + // location header needs to be modified, it is necessary to disable the + // automatic redirects normally performed by parent::curlExec(). + $maximum_redirects = $this->maximumRedirects; + $this->maximumRedirects = 0; + $this->drupalPostForm(NULL, $edit, 'Save'); + $this->maximumRedirects = $maximum_redirects; + + // Follow the redirect header. + $path = $this->getPathFromLocationHeader(TRUE); + $this->drupalGet($this->httpUrl($path)); + $this->assertResponse(200); + $this->assertText(String::format('Ok: @input', array('@input' => $edit['input']))); // Retrieve the same form via HTTPS. - $this->curlClose(); - $this->drupalGet($this->httpsUrl('session-test/form'), array(), array('Cookie: ' . $secure_session_name . '=' . $ssid)); + $this->drupalGet($this->httpsUrl('session-test/form')); + $this->assertResponse(200); $https_token = $this->getFormToken(); // Verify that CSRF token values are the same for a form regardless of @@ -284,6 +281,103 @@ protected function testCsrfTokenWithMixedModeSsl() { } /** + * Log in a user via HTTP. + * + * Note that the parents $session_id and $loggedInUser is not updated. + */ + protected function loginHttp(AccountInterface $account) { + $this->drupalGet('user/login'); + + // Alter the form action to submit the login form through http.php, which + // creates a mock HTTP request on HTTPS test environments. + $form = $this->xpath('//form[@id="user-login-form"]'); + $form[0]['action'] = $this->httpUrl('user/login'); + $edit = array('name' => $account->getUsername(), 'pass' => $account->pass_raw); + + // When posting directly to the HTTP or HTTPS mock front controller, the + // location header on the returned response is an absolute URL. That URL + // needs to be converted into a request to the respective mock front + // controller in order to retrieve the target page. Because the URL in the + // location header needs to be modified, it is necessary to disable the + // automatic redirects normally performed by parent::curlExec(). + $maximum_redirects = $this->maximumRedirects; + $this->maximumRedirects = 0; + $this->drupalPostForm(NULL, $edit, t('Log in')); + $this->maximumRedirects = $maximum_redirects; + + // Follow the location header. + $path = $this->getPathFromLocationHeader(FALSE); + $this->drupalGet($this->httpUrl($path)); + $this->assertResponse(200); + } + + /** + * Log in a user via HTTPS. + * + * Note that the parents $session_id and $loggedInUser is not updated. + */ + protected function loginHttps(AccountInterface $account) { + $this->drupalGet('user/login'); + + // Alter the form action to submit the login form through https.php, which + // creates a mock HTTPS request on HTTP test environments. + $form = $this->xpath('//form[@id="user-login-form"]'); + $form[0]['action'] = $this->httpsUrl('user/login'); + $edit = array('name' => $account->getUsername(), 'pass' => $account->pass_raw); + + // When posting directly to the HTTP or HTTPS mock front controller, the + // location header on the returned response is an absolute URL. That URL + // needs to be converted into a request to the respective mock front + // controller in order to retrieve the target page. Because the URL in the + // location header needs to be modified, it is necessary to disable the + // automatic redirects normally performed by parent::curlExec(). + $maximum_redirects = $this->maximumRedirects; + $this->maximumRedirects = 0; + $this->drupalPostForm(NULL, $edit, t('Log in')); + $this->maximumRedirects = $maximum_redirects; + + // When logging in via the HTTPS mock, the child site will issue a session + // cookie with the secure attribute set. While this cookie will be stored in + // the curl handle, it will not be used on subsequent requests via the HTTPS + // mock, unless when operating in a true HTTPS environment. Therefore it is + // necessary to manually collect the session cookie and add it to the + // curlCookies property such that it will be used on subsequent requests via + // the HTTPS mock. + $this->curlCookies = array($this->secureSessionName . '=' . $this->cookies[$this->secureSessionName]['value']); + + // Follow the location header. + $path = $this->getPathFromLocationHeader(TRUE); + $this->drupalGet($this->httpsUrl($path)); + $this->assertResponse(200); + } + + /** + * Extract internal path from the location header on the response. + */ + protected function getPathFromLocationHeader($https = FALSE, $response_code = 303) { + // Generate the base_url. + $base_url = $this->container->get('url_generator')->generateFromRoute('', [], ['absolute' => TRUE]); + if ($https) { + $base_url = str_replace('http://', 'https://', $base_url); + } + else { + $base_url = str_replace('https://', 'http://', $base_url); + } + + // The mock front controllers (http.php and https.php) add the script name + // to $_SERVER['REQEUST_URI'] and friends. Therefore it is necessary to + // strip that also. + $base_url .= 'index.php/'; + + // Extract relative path from location header. + $this->assertResponse($response_code); + $location = $this->drupalGetHeader('location'); + + $this->assertIdentical(strpos($location, $base_url), 0, 'Location header contains expected base URL'); + return substr($location, strlen($base_url)); + } + + /** * Return the token of the current form. */ protected function getFormToken() { @@ -321,12 +415,10 @@ protected function assertSessionIds($sid, $ssid, $assertion_text) { * A Drupal path such as 'user/login'. * * @return - * An absolute URL. + * URL prepared for the https.php mock front controller. */ protected function httpsUrl($url) { - global $base_url; - $this->request->server->set('HTTPS', 'on'); - return $base_url . '/core/modules/system/tests/https.php/' . $url; + return 'core/modules/system/tests/https.php/' . $url; } /** @@ -336,10 +428,10 @@ protected function httpsUrl($url) { * A Drupal path such as 'user/login'. * * @return - * An absolute URL. + * URL prepared for the http.php mock front controller. */ protected function httpUrl($url) { - global $base_url; - return $base_url . '/core/modules/system/tests/http.php/' . $url; + return 'core/modules/system/tests/http.php/' . $url; } + } diff --git a/core/modules/system/tests/http.php b/core/modules/system/tests/http.php index 3386979..4eac640 100644 --- a/core/modules/system/tests/http.php +++ b/core/modules/system/tests/http.php @@ -12,9 +12,6 @@ $autoloader = require_once './core/vendor/autoload.php'; -// Set a global variable to indicate a mock HTTP request. -$is_http_mock = !empty($_SERVER['HTTPS']); - // Change to HTTP. $_SERVER['HTTPS'] = NULL; ini_set('session.cookie_secure', FALSE); diff --git a/core/modules/system/tests/https.php b/core/modules/system/tests/https.php index 00a6b13..acb65ac 100644 --- a/core/modules/system/tests/https.php +++ b/core/modules/system/tests/https.php @@ -15,9 +15,6 @@ $autoloader = require_once './core/vendor/autoload.php'; -// Set a global variable to indicate a mock HTTPS request. -$is_https_mock = empty($_SERVER['HTTPS']); - // Change to HTTPS. $_SERVER['HTTPS'] = 'on'; foreach ($_SERVER as &$value) { diff --git a/core/modules/system/tests/modules/session_test/src/EventSubscriber/SessionTestSubscriber.php b/core/modules/system/tests/modules/session_test/src/EventSubscriber/SessionTestSubscriber.php index 9029093..ffd27a5 100644 --- a/core/modules/system/tests/modules/session_test/src/EventSubscriber/SessionTestSubscriber.php +++ b/core/modules/system/tests/modules/session_test/src/EventSubscriber/SessionTestSubscriber.php @@ -9,7 +9,6 @@ use Drupal\Core\Session\SessionManagerInterface; use Symfony\Component\EventDispatcher\EventSubscriberInterface; -use Symfony\Component\HttpFoundation\RedirectResponse; use Symfony\Component\HttpKernel\KernelEvents; use Symfony\Component\HttpKernel\Event\FilterResponseEvent; use Symfony\Component\HttpKernel\Event\GetResponseEvent; @@ -57,20 +56,8 @@ public function onKernelRequestSessionTest(GetResponseEvent $event) { * The Event to process. */ public function onKernelResponseSessionTest(FilterResponseEvent $event) { - $response = $event->getResponse(); - if ($response instanceOf RedirectResponse) { - // Force the redirection to go to a non-secure page after being on a - // secure page through https.php. - global $base_insecure_url, $is_https_mock; - // Alter the redirect to use HTTP when using a mock HTTPS request through - // https.php because form submissions would otherwise redirect to a - // non-existent HTTPS site. - if (!empty($is_https_mock)) { - $path = $base_insecure_url . '/' . $response->getTargetUrl(); - $response->setTargetUrl($path); - } - } // Set header for session testing. + $response = $event->getResponse(); $response->headers->set('X-Session-Empty', $this->emptySession); } @@ -80,9 +67,9 @@ public function onKernelResponseSessionTest(FilterResponseEvent $event) { * @return array * An array of event listener definitions. */ - static function getSubscribedEvents() { - $events[KernelEvents::RESPONSE][] = array('onKernelResponseSessionTest', 300); - $events[KernelEvents::REQUEST][] = array('onKernelRequestSessionTest', 100); + public static function getSubscribedEvents() { + $events[KernelEvents::RESPONSE][] = array('onKernelResponseSessionTest'); + $events[KernelEvents::REQUEST][] = array('onKernelRequestSessionTest'); return $events; }