diff --git a/core/includes/bootstrap.inc b/core/includes/bootstrap.inc index d33d1ee..d5c2654 100644 --- a/core/includes/bootstrap.inc +++ b/core/includes/bootstrap.inc @@ -432,7 +432,6 @@ function _drupal_request_initialize() { global $base_url, $cookie_domain; // Set and derived from $base_url by this function. global $base_path, $base_root, $script_path; - global $base_secure_url, $base_insecure_url; $is_https = isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on'; @@ -472,8 +471,6 @@ function _drupal_request_initialize() { $base_path = '/'; } } - $base_secure_url = str_replace('http://', 'https://', $base_url); - $base_insecure_url = str_replace('https://', 'http://', $base_url); // Determine the path of the script relative to the base path, and add a // trailing slash. This is needed for creating URLs to Drupal pages. diff --git a/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php b/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php index a9c709c..a2621c9 100644 --- a/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php +++ b/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php @@ -11,6 +11,7 @@ use Symfony\Component\HttpFoundation\Request; use Drupal\Component\Utility\Crypt; use Drupal\Component\Utility\String; +use Drupal\Core\Session\AccountInterface; /** * Ensure that when running under HTTPS two session cookies are generated. @@ -18,6 +19,20 @@ class SessionHttpsTest extends WebTestBase { /** + * The name of the session cookie when using HTTP. + * + * @var string + */ + protected $insecureSessionName; + + /** + * The name of the session cookie when using HTTPS. + * + * @var string + */ + protected $secureSessionName; + + /** * Modules to enable. * * @var array @@ -34,44 +49,36 @@ public static function getInfo() { public function setUp() { parent::setUp(); - $this->request = Request::createFromGlobals(); - $this->container->set('request', $this->request); - } - protected function testHttpsSession() { - if ($this->request->isSecure()) { - $secure_session_name = session_name(); - $insecure_session_name = substr(session_name(), 1); + $request = Request::createFromGlobals(); + if ($request->isSecure()) { + $this->secureSessionName = session_name(); + $this->insecureSessionName = substr(session_name(), 1); } else { - $secure_session_name = 'S' . session_name(); - $insecure_session_name = session_name(); + $this->secureSessionName = 'S' . session_name(); + $this->insecureSessionName = session_name(); } + } + protected function testHttpsSession() { $user = $this->drupalCreateUser(array('access administration pages')); // Test HTTPS session handling by altering the form action to submit the // login form through https.php, which creates a mock HTTPS request. - $this->drupalGet('user'); - $form = $this->xpath('//form[@id="user-login-form"]'); - $form[0]['action'] = $this->httpsUrl('user'); - $edit = array('name' => $user->getUsername(), 'pass' => $user->pass_raw); - $this->drupalPostForm(NULL, $edit, t('Log in')); + $this->loginHttps($user); // Test a second concurrent session. $this->curlClose(); - $this->drupalGet('user'); - $form = $this->xpath('//form[@id="user-login-form"]'); - $form[0]['action'] = $this->httpsUrl('user'); - $this->drupalPostForm(NULL, $edit, t('Log in')); + $this->loginHttps($user); // Check secure cookie on secure page. - $this->assertTrue($this->cookies[$secure_session_name]['secure'], 'The secure cookie has the secure attribute'); + $this->assertTrue($this->cookies[$this->secureSessionName]['secure'], 'The secure cookie has the secure attribute'); // Check insecure cookie is not set. - $this->assertFalse(isset($this->cookies[$insecure_session_name])); - $ssid = $this->cookies[$secure_session_name]['value']; + $this->assertFalse(isset($this->cookies[$this->insecureSessionName])); + $ssid = $this->cookies[$this->secureSessionName]['value']; $this->assertSessionIds($ssid, $ssid, 'Session has a non-empty SID and a correct secure SID.'); - $cookie = $secure_session_name . '=' . $ssid; + $cookie = $this->secureSessionName . '=' . $ssid; // Verify that user is logged in on secure URL. $this->curlClose(); @@ -87,7 +94,7 @@ protected function testHttpsSession() { // Verify that empty SID cannot be used on the non-secure site. $this->curlClose(); - $cookie = $insecure_session_name . '='; + $cookie = $this->insecureSessionName . '='; $this->drupalGet($this->httpUrl('admin/config'), array(), array('Cookie: ' . $cookie)); $this->assertResponse(403); @@ -95,19 +102,15 @@ protected function testHttpsSession() { // login form through http.php, which creates a mock HTTP request on HTTPS // test environments. $this->curlClose(); - $this->drupalGet('user'); - $form = $this->xpath('//form[@id="user-login-form"]'); - $form[0]['action'] = $this->httpUrl('user'); - $edit = array('name' => $user->getUsername(), 'pass' => $user->pass_raw); - $this->drupalPostForm(NULL, $edit, t('Log in')); + $this->loginHttp($user); $this->drupalGet($this->httpUrl('admin/config')); $this->assertResponse(200); - $sid = $this->cookies[$insecure_session_name]['value']; + $sid = $this->cookies[$this->insecureSessionName]['value']; $this->assertSessionIds($sid, '', 'Session has the correct SID and an empty secure SID.'); // Verify that empty secure SID cannot be used on the secure site. $this->curlClose(); - $cookie = $secure_session_name . '='; + $cookie = $this->secureSessionName . '='; $this->drupalGet($this->httpsUrl('admin/config'), array(), array('Cookie: ' . $cookie)); $this->assertResponse(403); @@ -119,15 +122,6 @@ protected function testHttpsSession() { * Tests sessions in SSL mixed mode. */ protected function testMixedModeSslSession() { - if ($this->request->isSecure()) { - // The functionality does not make sense when running on HTTPS. - return; - } - else { - $secure_session_name = 'S' . session_name(); - $insecure_session_name = session_name(); - } - // Enable secure pages. $this->settingsSet('mixed_mode_sessions', TRUE); // Write that value also into the test settings.php file. @@ -142,44 +136,38 @@ protected function testMixedModeSslSession() { $this->curlClose(); // Start an anonymous session on the insecure site. $session_data = $this->randomName(); - $this->drupalGet('session-test/set/' . $session_data); + $this->drupalGet($this->httpUrl('session-test/set/') . $session_data); // Check secure cookie on insecure page. - $this->assertFalse(isset($this->cookies[$secure_session_name]), 'The secure cookie is not sent on insecure pages.'); + $this->assertFalse(isset($this->cookies[$this->secureSessionName]), 'The secure cookie is not sent on insecure pages.'); // Check insecure cookie on insecure page. - $this->assertFalse($this->cookies[$insecure_session_name]['secure'], 'The insecure cookie does not have the secure attribute'); + $this->assertFalse($this->cookies[$this->insecureSessionName]['secure'], 'The insecure cookie does not have the secure attribute'); // Store the anonymous cookie so we can validate that its session is killed // after login. - $anonymous_cookie = $insecure_session_name . '=' . $this->cookies[$insecure_session_name]['value']; + $anonymous_cookie = $this->insecureSessionName . '=' . $this->cookies[$this->insecureSessionName]['value']; // Check that password request form action is not secure. $this->drupalGet('user/password'); $form = $this->xpath('//form[@id="user-pass"]'); $this->assertNotEqual(substr($form[0]['action'], 0, 6), 'https:', 'Password request form action is not secure'); - $form[0]['action'] = $this->httpsUrl('user'); // Check that user login form action is secure. $this->drupalGet('user'); $form = $this->xpath('//form[@id="user-login-form"]'); $this->assertEqual(substr($form[0]['action'], 0, 6), 'https:', 'Login form action is secure'); - $form[0]['action'] = $this->httpsUrl('user'); - $edit = array( - 'name' => $user->getUsername(), - 'pass' => $user->pass_raw, - ); - $this->drupalPostForm(NULL, $edit, t('Log in')); + $this->loginHttps($user); // Check secure cookie on secure page. - $this->assertTrue($this->cookies[$secure_session_name]['secure'], 'The secure cookie has the secure attribute'); + $this->assertTrue($this->cookies[$this->secureSessionName]['secure'], 'The secure cookie has the secure attribute'); // Check insecure cookie on secure page. - $this->assertFalse($this->cookies[$insecure_session_name]['secure'], 'The insecure cookie does not have the secure attribute'); + $this->assertFalse($this->cookies[$this->insecureSessionName]['secure'], 'The insecure cookie does not have the secure attribute'); - $sid = $this->cookies[$insecure_session_name]['value']; - $ssid = $this->cookies[$secure_session_name]['value']; + $sid = $this->cookies[$this->insecureSessionName]['value']; + $ssid = $this->cookies[$this->secureSessionName]['value']; $this->assertSessionIds($sid, $ssid, 'Session has both secure and insecure SIDs'); $cookies = array( - $insecure_session_name . '=' . $sid, - $secure_session_name . '=' . $ssid, + $this->insecureSessionName . '=' . $sid, + $this->secureSessionName . '=' . $ssid, ); // Test that session data saved before login is still available on the @@ -188,7 +176,7 @@ protected function testMixedModeSslSession() { $this->assertText($session_data, 'Session correctly returned the stored data set by the anonymous session.'); foreach ($cookies as $cookie_key => $cookie) { - foreach (array('admin/config', $this->httpsUrl('admin/config')) as $url_key => $url) { + foreach (array($this->httpUrl('admin/config'), $this->httpsUrl('admin/config')) as $url_key => $url) { $this->curlClose(); $this->drupalGet($url, array(), array('Cookie: ' . $cookie)); @@ -216,13 +204,10 @@ protected function testMixedModeSslSession() { $this->drupalGet($this->httpsUrl('session-test/set/1')); // Mock a login to the secure site using the secure session cookie. - $this->drupalGet('user'); - $form = $this->xpath('//form[@id="user-login-form"]'); - $form[0]['action'] = $this->httpsUrl('user'); - $this->drupalPostForm(NULL, $edit, t('Log in')); + $this->loginHttps($user); // Test that the user is also authenticated on the insecure site. - $this->drupalGet("user/" . $user->id() . "/edit"); + $this->drupalGet($this->httpUrl("user/" . $user->id() . "/edit")); $this->assertResponse(200); } @@ -230,15 +215,6 @@ protected function testMixedModeSslSession() { * Ensure that a CSRF form token is shared in SSL mixed mode. */ protected function testCsrfTokenWithMixedModeSsl() { - if ($this->request->isSecure()) { - $secure_session_name = session_name(); - $insecure_session_name = substr(session_name(), 1); - } - else { - $secure_session_name = 'S' . session_name(); - $insecure_session_name = session_name(); - } - // Enable mixed mode SSL. $this->settingsSet('mixed_mode_sessions', TRUE); // Write that value also into the test settings.php file. @@ -252,19 +228,16 @@ protected function testCsrfTokenWithMixedModeSsl() { // Login using the HTTPS user-login form. $this->drupalGet('user'); - $form = $this->xpath('//form[@id="user-login-form"]'); - $form[0]['action'] = $this->httpsUrl('user'); - $edit = array('name' => $user->getUsername(), 'pass' => $user->pass_raw); - $this->drupalPostForm(NULL, $edit, t('Log in')); + $this->loginHttps($user); // Collect session id cookies. - $sid = $this->cookies[$insecure_session_name]['value']; - $ssid = $this->cookies[$secure_session_name]['value']; + $sid = $this->cookies[$this->insecureSessionName]['value']; + $ssid = $this->cookies[$this->secureSessionName]['value']; $this->assertSessionIds($sid, $ssid, 'Session has both secure and insecure SIDs'); // Retrieve the form via HTTP. $this->curlClose(); - $this->drupalGet($this->httpUrl('session-test/form'), array(), array('Cookie: ' . $insecure_session_name . '=' . $sid)); + $this->drupalGet($this->httpUrl('session-test/form'), array(), array('Cookie: ' . $this->insecureSessionName . '=' . $sid)); $http_token = $this->getFormToken(); // Verify that submitting form values via HTTPS to a form originally @@ -273,12 +246,12 @@ protected function testCsrfTokenWithMixedModeSsl() { $form[0]['action'] = $this->httpsUrl('session-test/form'); $edit = array('input' => $this->randomName(32)); $this->curlClose(); - $this->drupalPostForm(NULL, $edit, 'Save', array('Cookie: ' . $secure_session_name . '=' . $ssid)); + $this->drupalPostForm(NULL, $edit, 'Save', array('Cookie: ' . $this->secureSessionName . '=' . $ssid)); $this->assertText(String::format('Ok: @input', array('@input' => $edit['input']))); // Retrieve the same form via HTTPS. $this->curlClose(); - $this->drupalGet($this->httpsUrl('session-test/form'), array(), array('Cookie: ' . $secure_session_name . '=' . $ssid)); + $this->drupalGet($this->httpsUrl('session-test/form'), array(), array('Cookie: ' . $this->secureSessionName . '=' . $ssid)); $https_token = $this->getFormToken(); // Verify that CSRF token values are the same for a form regardless of @@ -287,6 +260,36 @@ protected function testCsrfTokenWithMixedModeSsl() { } /** + * Log in a user via HTTP. + * + * Note that the parents $session_id and $loggedInUser is not updated. + */ + protected function loginHttp(AccountInterface $account) { + // Alter the form action to submit the login form through http.php, which + // creates a mock HTTP request on HTTPS test environments. + $this->drupalGet('user'); + $form = $this->xpath('//form[@id="user-login-form"]'); + $form[0]['action'] = $this->httpUrl('user'); + $edit = array('name' => $account->getUsername(), 'pass' => $account->pass_raw); + $this->drupalPostForm(NULL, $edit, t('Log in')); + } + + /** + * Log in a user via HTTPS. + * + * Note that the parents $session_id and $loggedInUser is not updated. + */ + protected function loginHttps(AccountInterface $account) { + // Alter the form action to submit the login form through https.php, which + // creates a mock HTTPS request on HTTP test environments. + $this->drupalGet('user'); + $form = $this->xpath('//form[@id="user-login-form"]'); + $form[0]['action'] = $this->httpsUrl('user'); + $edit = array('name' => $account->getUsername(), 'pass' => $account->pass_raw); + $this->drupalPostForm(NULL, $edit, t('Log in')); + } + + /** * Return the token of the current form. */ protected function getFormToken() { @@ -324,12 +327,11 @@ protected function assertSessionIds($sid, $ssid, $assertion_text) { * A Drupal path such as 'user'. * * @return - * An absolute URL. + * The URL prepared in a way such that the https.php mock front controller + * is used. */ protected function httpsUrl($url) { - global $base_url; - $this->request->server->set('HTTPS', 'on'); - return $base_url . '/core/modules/system/tests/https.php/' . $url; + return 'core/modules/system/tests/https.php/' . $url; } /** @@ -339,10 +341,11 @@ protected function httpsUrl($url) { * A Drupal path such as 'user'. * * @return - * An absolute URL. + * The URL prepared in a way such that the http.php mock front controller is + * used. */ protected function httpUrl($url) { - global $base_url; - return $base_url . '/core/modules/system/tests/http.php/' . $url; + return 'core/modules/system/tests/http.php/' . $url; } + } diff --git a/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/EventSubscriber/SessionTestSubscriber.php b/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/EventSubscriber/SessionTestSubscriber.php index 55225ae..c01f1b4 100644 --- a/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/EventSubscriber/SessionTestSubscriber.php +++ b/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/EventSubscriber/SessionTestSubscriber.php @@ -49,12 +49,12 @@ public function onKernelResponseSessionTest(FilterResponseEvent $event) { if ($response instanceOf RedirectResponse) { // Force the redirection to go to a non-secure page after being on a // secure page through https.php. - global $base_insecure_url, $is_https_mock; + global $is_https_mock; // Alter the redirect to use HTTP when using a mock HTTPS request through // https.php because form submissions would otherwise redirect to a // non-existent HTTPS site. if (!empty($is_https_mock)) { - $path = $base_insecure_url . '/' . $response->getTargetUrl(); + $path = str_replace('https://', 'http://', $response->getTargetUrl()); $response->setTargetUrl($path); } }