check if client-presented URL scheme is different from one configured in SELF_URL_PATH

1 year ago · e6a875b7e4
3 changed files with 30 additions and 8 deletions
--- a/classes/errors.php
+++ b/classes/errors.php
@ -5,8 +5,9 @@ class Errors {
 	const E_UNKNOWN_METHOD = "E_UNKNOWN_METHOD";
 	const E_UNKNOWN_PLUGIN = "E_UNKNOWN_PLUGIN";
 	const E_SCHEMA_MISMATCH = "E_SCHEMA_MISMATCH";
+	const E_URL_SCHEME_MISMATCH = "E_URL_SCHEME_MISMATCH";

-	static function to_json(string $code) {
-		return json_encode(["error" => ["code" => $code]]);
+	static function to_json(string $code, array $params = []) {
+		return json_encode(["error" => ["code" => $code, "params" => $params]]);
 	}
 }
--- a/classes/rpc.php
+++ b/classes/rpc.php
@ -168,10 +168,21 @@ class RPC extends Handler_Protected {
 		$_SESSION["hasSandbox"] = clean($_REQUEST["hasSandbox"]) === "true";
 		$_SESSION["clientTzOffset"] = clean($_REQUEST["clientTzOffset"]);

+		$client_location = $_REQUEST["clientLocation"];
+
 		$error = Errors::E_SUCCESS;
+		$error_params = [];
+
+		$client_scheme = parse_url($client_location, PHP_URL_SCHEME);
+		$server_scheme = parse_url(get_self_url_prefix(), PHP_URL_SCHEME);

 		if (get_schema_version() != SCHEMA_VERSION) {
 			$error = Errors::E_SCHEMA_MISMATCH;
+		} else if ($client_scheme != $server_scheme) {
+			$error = Errors::E_URL_SCHEME_MISMATCH;
+			$error_params["client_scheme"] = $client_scheme;
+			$error_params["server_scheme"] = $server_scheme;
+			$error_params["self_url_path"] = get_self_url_prefix();
 		}

 		if ($error == Errors::E_SUCCESS) {
@ -183,7 +194,7 @@ class RPC extends Handler_Protected {

 			print json_encode($reply);
 		} else {
-			print Errors::to_json($error);
+			print Errors::to_json($error, $error_params);
 		}
 	}

--- a/js/App.js
+++ b/js/App.js
@ -418,7 +418,7 @@ const App = {

         if (error && error.code && error.code != App.Error.E_SUCCESS) {
            console.warn("handleRpcJson: fatal error", error);
-            this.Error.fatal(error.code);
+            this.Error.fatal(error.code, error.params);
            return false;
         }

@ -547,6 +547,7 @@ const App = {
      E_SUCCESS: "E_SUCCESS",
      E_UNAUTHORIZED: "E_UNAUTHORIZED",
      E_SCHEMA_MISMATCH: "E_SCHEMA_MISMATCH",
+      E_URL_SCHEME_MISMATCH: "E_URL_SCHEME_MISMATCH",
 		fatal: function (error, params = {}) {
         if (error == App.Error.E_UNAUTHORIZED) {
            window.location.href = "index.php";
@ -554,9 +555,14 @@ const App = {
         } else if (error == App.Error.E_SCHEMA_MISMATCH) {
            window.location.href = "public.php?op=dbupdate";
            return;
+         } else if (error == App.Error.E_URL_SCHEME_MISMATCH) {
+            params.description = __("URL scheme reported by your browser (%a) doesn't match server-configured SELF_URL_PATH (%b), check X-Forwarded-Proto.")
+               .replace("%a", params.client_scheme)
+               .replace("%b", params.server_scheme);
+            params.info = `SELF_URL_PATH: ${params.self_url_path}\nCLIENT_LOCATION: ${document.location.href}`
         }

-			return this.report(__("Fatal error: %s").replace("%s", error),
+			return this.report(error,
 				{...{title: __("Fatal error")}, ...params});
 		},
 		report: function(error, params = {}) {
@ -587,10 +593,13 @@ const App = {
               <div class='exception-contents'>
                  <h3>${message}</h3>

-                  <header>${__('Stack trace')}</header>
+                  ${params.description ? `<p>${params.description}</p>` : ''}
+
+                  ${error.stack ?
+                  `<header>${__('Stack trace')}</header>
                  <section>
                     <textarea readonly='readonly'>${error.stack}</textarea>
-                  </section>
+                  </section>` : ''}

                  ${params && params.info ?
                     `
@ -650,7 +659,8 @@ const App = {
            op: "rpc",
            method: "sanityCheck",
            clientTzOffset: new Date().getTimezoneOffset() * 60,
-            hasSandbox: "sandbox" in document.createElement("iframe")
+            hasSandbox: "sandbox" in document.createElement("iframe"),
+            clientLocation: window.location.href
         };

         xhr.json("backend.php", params, (reply) => {