Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2342593 by znerol, grendzy, David_Rothstein: Remove mixed SSL support from core

8.0.x
webchick 2014-12-01 08:26:28 -08:00
parent 602a144323
commit 8d601c74b1
22 changed files with 34 additions and 490 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/core.services.yml
View File

@ -495,7 +495,7 @@ services:
- { name: service_collector, tag: route_filter, call: addRouteFilter }
url_generator:
class: Drupal\Core\Routing\UrlGenerator
arguments: ['@router.route_provider', '@path_processor_manager', '@route_processor_manager', '@config.factory', '@settings', '@logger.channel.default', '@request_stack']
arguments: ['@router.route_provider', '@path_processor_manager', '@route_processor_manager', '@config.factory', '@logger.channel.default', '@request_stack']
calls:
- [setContext, ['@?router.request_context']]
unrouted_url_assembler:

3
core/lib/Drupal/Core/FileTransfer/Form/FileTransferAuthorizeForm.php
View File

@ -52,9 +52,6 @@ class FileTransferAuthorizeForm extends FormBase {
* {@inheritdoc}
*/
public function buildForm(array $form, FormStateInterface $form_state) {
// If possible, we want to post this form securely via HTTPS.
$form['#https'] = TRUE;
// Get all the available ways to transfer files.
if (empty($_SESSION['authorize_filetransfer_info'])) {
drupal_set_message($this->t('Unable to continue, no available methods of file transfer'), 'error');

4
core/lib/Drupal/Core/Form/FormBuilder.php
View File

@ -16,7 +16,6 @@ use Drupal\Core\Access\CsrfTokenGenerator;
use Drupal\Core\DependencyInjection\ClassResolverInterface;
use Drupal\Core\Extension\ModuleHandlerInterface;
use Drupal\Core\Render\Element;
use Drupal\Core\Site\Settings;
use Drupal\Core\Theme\ThemeManagerInterface;
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
use Symfony\Component\HttpFoundation\RequestStack;
@ -694,8 +693,7 @@ class FormBuilder implements FormBuilderInterface, FormValidatorInterface, FormS
// Special handling if we're on the top level form element.
if (isset($element['#type']) && $element['#type'] == 'form') {
if (!empty($element['#https']) && Settings::get('mixed_mode_sessions', FALSE) &&
!UrlHelper::isExternal($element['#action'])) {
if (!empty($element['#https']) && !UrlHelper::isExternal($element['#action'])) {
global $base_root;
// Not an external URL so ensure that it is secure.

3
core/lib/Drupal/Core/Link.php
View File

@ -67,8 +67,7 @@ class Link {
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
* respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS
* and FALSE enforces HTTP.
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
*
* @return static
*/

19
core/lib/Drupal/Core/Routing/UrlGenerator.php
View File

@ -20,7 +20,6 @@ use Drupal\Component\Utility\UrlHelper;
use Drupal\Core\Config\ConfigFactoryInterface;
use Drupal\Core\PathProcessor\OutboundPathProcessorInterface;
use Drupal\Core\RouteProcessor\OutboundRouteProcessorInterface;
use Drupal\Core\Site\Settings;
/**
* Generates URLs from route names and parameters.
@ -48,13 +47,6 @@ class UrlGenerator extends ProviderBasedGenerator implements UrlGeneratorInterfa
*/
protected $routeProcessor;
/**
* Whether both secure and insecure session cookies can be used simultaneously.
*
* @var bool
*/
protected $mixedModeSessions;
/**
* Overrides characters that will not be percent-encoded in the path segment.
*
@ -78,19 +70,16 @@ class UrlGenerator extends ProviderBasedGenerator implements UrlGeneratorInterfa
* The route processor.
* @param \Drupal\Core\Config\ConfigFactoryInterface $config
* The config factory.
* @param \Drupal\Core\Site\Settings $settings
* The read only settings.
* @param \Psr\Log\LoggerInterface $logger
* An optional logger for recording errors.
* @param \Symfony\Component\HttpFoundation\RequestStack $request_stack
* A request stack object.
*/
public function __construct(RouteProviderInterface $provider, OutboundPathProcessorInterface $path_processor, OutboundRouteProcessorInterface $route_processor, ConfigFactoryInterface $config, Settings $settings, LoggerInterface $logger = NULL, RequestStack $request_stack) {
public function __construct(RouteProviderInterface $provider, OutboundPathProcessorInterface $path_processor, OutboundRouteProcessorInterface $route_processor, ConfigFactoryInterface $config, LoggerInterface $logger = NULL, RequestStack $request_stack) {
parent::__construct($provider, $logger);
$this->pathProcessor = $path_processor;
$this->routeProcessor = $route_processor;
$this->mixedModeSessions = $settings->get('mixed_mode_sessions', FALSE);
$allowed_protocols = $config->get('system.filter')->get('protocols') ?: array('http', 'https');
UrlHelper::setAllowedProtocols($allowed_protocols);
$this->requestStack = $request_stack;
@ -190,7 +179,7 @@ class UrlGenerator extends ProviderBasedGenerator implements UrlGeneratorInterfa
// Prepare an absolute URL by getting the correct scheme, host and port from
// the request context.
if (isset($options['https']) && $this->mixedModeSessions) {
if (isset($options['https'])) {
$scheme = $options['https'] ? 'https' : 'http';
}
else {
@ -262,7 +251,7 @@ class UrlGenerator extends ProviderBasedGenerator implements UrlGeneratorInterfa
if ($options['query']) {
$path .= (strpos($path, '?') !== FALSE ? '&' : '?') . UrlHelper::buildQuery($options['query']);
}
if (isset($options['https']) && $this->mixedModeSessions) {
if (isset($options['https'])) {
if ($options['https'] === TRUE) {
$path = str_replace('http://', 'https://', $path);
}
@ -282,7 +271,7 @@ class UrlGenerator extends ProviderBasedGenerator implements UrlGeneratorInterfa
}
// The base_url might be rewritten from the language rewrite in domain mode.
if (!isset($options['base_url'])) {
if (isset($options['https']) && $this->mixedModeSessions) {
if (isset($options['https'])) {
if ($options['https'] === TRUE) {
$options['base_url'] = str_replace('http://', 'https://', $current_base_url);
$options['absolute'] = TRUE;

6
core/lib/Drupal/Core/Routing/UrlGeneratorInterface.php
View File

@ -58,8 +58,7 @@ interface UrlGeneratorInterface extends VersatileGeneratorInterface {
* \Drupal::languageManager()->getCurrentLanguage(LanguageInterface::TYPE_URL).
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP, but HTTPS can
* only be enforced when the variable 'https' is set to TRUE.
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
* - 'base_url': Only used internally, to modify the base URL when a language
* dependent URL requires so.
* - 'prefix': Only used internally, to modify the path when a language
@ -132,8 +131,7 @@ interface UrlGeneratorInterface extends VersatileGeneratorInterface {
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
* respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS
* and FALSE enforces HTTP.
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
* - 'prefix': Only used internally, to modify the path when a language
* dependent URL requires so.
*

103
core/lib/Drupal/Core/Session/SessionHandler.php
View File

@ -78,44 +78,15 @@ class SessionHandler extends AbstractProxy implements \SessionHandlerInterface {
// Handle the case of first time visitors and clients that don't store
// cookies (eg. web crawlers).
$insecure_session_name = $this->sessionManager->getInsecureName();
$cookies = $this->requestStack->getCurrentRequest()->cookies;
if (empty($sid) || (!$cookies->has($this->getName()) && !$cookies->has($insecure_session_name))) {
if (empty($sid) || !$cookies->has($this->getName())) {
$user = new UserSession();
return '';
}
// Otherwise, if the session is still active, we have a record of the
// client's session in the database. If it's HTTPS then we are either have a
// HTTPS session or we are about to log in so we check the sessions table
// for an anonymous session with the non-HTTPS-only cookie. The session ID
// that is in the user's cookie is hashed before being stored in the
// database as a security measure. Thus, we have to hash it to match the
// database.
if ($this->requestStack->getCurrentRequest()->isSecure()) {
// Try to load a session using the HTTPS-only secure session id.
$values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.ssid = :ssid", array(
':ssid' => Crypt::hashBase64($sid),
))->fetchAssoc();
if (!$values) {
// Fallback and try to load the anonymous non-HTTPS session. Use the
// non-HTTPS session id as the key.
if ($cookies->has($insecure_session_name)) {
$insecure_session_id = $cookies->get($insecure_session_name);
$args = array(':sid' => Crypt::hashBase64($insecure_session_id));
$values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.sid = :sid AND s.uid = 0", $args)->fetchAssoc();
if ($values) {
$this->sessionSetObsolete($insecure_session_id);
}
}
}
}
else {
// Try to load a session using the non-HTTPS session id.
$values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.sid = :sid", array(
':sid' => Crypt::hashBase64($sid),
))->fetchAssoc();
}
$values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.sid = :sid", array(
':sid' => Crypt::hashBase64($sid),
))->fetchAssoc();
// We found the client's session record and they are an authenticated,
// active user.
@ -158,42 +129,17 @@ class SessionHandler extends AbstractProxy implements \SessionHandlerInterface {
return TRUE;
}
// Either ssid or sid or both will be added from $key below.
$fields = array(
'uid' => $user->id(),
'hostname' => $this->requestStack->getCurrentRequest()->getClientIP(),
'session' => $value,
'timestamp' => REQUEST_TIME,
);
// Use the session ID as 'sid' and an empty string as 'ssid' by default.
// read() does not allow empty strings so that's a safe default.
$key = array('sid' => Crypt::hashBase64($sid), 'ssid' => '');
// On HTTPS connections, use the session ID as both 'sid' and 'ssid'.
if ($this->requestStack->getCurrentRequest()->isSecure()) {
$key['ssid'] = $key['sid'];
// The "secure pages" setting allows a site to simultaneously use both
// secure and insecure session cookies. If enabled and both cookies
// are presented then use both keys. The session ID from the cookie is
// hashed before being stored in the database as a security measure.
if ($this->sessionManager->isMixedMode()) {
$insecure_session_name = $this->sessionManager->getInsecureName();
$cookies = $this->requestStack->getCurrentRequest()->cookies;
if ($cookies->has($insecure_session_name)) {
$key['sid'] = Crypt::hashBase64($cookies->get($insecure_session_name));
}
}
}
elseif ($this->sessionManager->isMixedMode()) {
unset($key['ssid']);
}
$this->connection->merge('sessions')
->keys($key)
->keys(array('sid' => Crypt::hashBase64($sid)))
->fields($fields)
->execute();
// Remove obsolete sessions.
$this->cleanupObsoleteSessions();
// Likewise, do not update access time more than once per 180 seconds.
if ($user->isAuthenticated() && REQUEST_TIME - $user->getLastAccessedTime() > Settings::get('session_write_interval', 180)) {
/** @var \Drupal\user\UserStorageInterface $storage */
@ -231,10 +177,9 @@ class SessionHandler extends AbstractProxy implements \SessionHandlerInterface {
if (!$this->sessionManager->isEnabled()) {
return TRUE;
}
$is_https = $this->requestStack->getCurrentRequest()->isSecure();
// Delete session data.
$this->connection->delete('sessions')
->condition($is_https ? 'ssid' : 'sid', Crypt::hashBase64($sid))
->condition('sid', Crypt::hashBase64($sid))
->execute();
// Reset $_SESSION and $user to prevent a new session from being started
@ -244,15 +189,6 @@ class SessionHandler extends AbstractProxy implements \SessionHandlerInterface {
// Unset the session cookies.
$this->deleteCookie($this->getName());
if ($is_https) {
$this->deleteCookie($this->sessionManager->getInsecureName(), FALSE);
}
elseif ($this->sessionManager->isMixedMode()) {
$this->deleteCookie('S' . $this->getName(), TRUE);
}
// Remove obsolete sessions.
$this->cleanupObsoleteSessions();
return TRUE;
}
@ -277,37 +213,14 @@ class SessionHandler extends AbstractProxy implements \SessionHandlerInterface {
*
* @param string $name
* Name of session cookie to delete.
* @param bool $secure
* Force the secure value of the cookie.
*/
protected function deleteCookie($name, $secure = NULL) {
protected function deleteCookie($name) {
$cookies = $this->requestStack->getCurrentRequest()->cookies;
if ($cookies->has($name) || (!$this->requestStack->getCurrentRequest()->isSecure() && $secure === TRUE)) {
if ($cookies->has($name)) {
$params = session_get_cookie_params();
if ($secure !== NULL) {
$params['secure'] = $secure;
}
setcookie($name, '', REQUEST_TIME - 3600, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
$cookies->remove($name);
}
}
/**
* Mark a session for garbage collection upon session save.
*/
protected function sessionSetObsolete($sid, $https = FALSE) {
$this->obsoleteSessionIds[$sid] = $https ? 'ssid' : 'sid';
}
/**
* Remove sessions marked for garbage collection.
*/
protected function cleanupObsoleteSessions() {
foreach ($this->obsoleteSessionIds as $sid => $key) {
$this->connection->delete('sessions')
->condition($key, Crypt::hashBase64($sid))
->execute();
}
}
}

83
core/lib/Drupal/Core/Session/SessionManager.php
View File

@ -31,18 +31,10 @@ use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;
* necessary to subclass it at all. In order to reach the point where Drupal
* can use the Symfony session management unmodified, the code implemented
* here needs to be extracted either into a dedicated session handler proxy
* (e.g. mixed mode SSL, sid-hashing) or relocated to the authentication
* subsystem.
* (e.g. sid-hashing) or relocated to the authentication subsystem.
*/
class SessionManager extends NativeSessionStorage implements SessionManagerInterface {
/**
* Whether or not the session manager is operating in mixed mode SSL.
*
* @var bool
*/
protected $mixedMode;
/**
* The request stack.
*
@ -100,8 +92,6 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter
parent::__construct($options, $write_check_handler, $metadata_bag);
$this->setMixedMode($settings->get('mixed_mode_sessions', FALSE));
// @todo When not using the Symfony Session object, the list of bags in the
// NativeSessionStorage will remain uninitialized. This will lead to
// errors in NativeSessionHandler::loadSession. Remove this after
@ -121,10 +111,8 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter
return $this->started;
}
$is_https = $this->requestStack->getCurrentRequest()->isSecure();
$cookies = $this->requestStack->getCurrentRequest()->cookies;
$insecure_session_name = $this->getInsecureName();
if (($cookies->has($this->getName()) && ($session_name = $cookies->get($this->getName()))) || ($is_https && $this->isMixedMode() && ($cookies->has($insecure_session_name) && ($session_name = $cookies->get($insecure_session_name))))) {
if ($cookies->get($this->getName())) {
// If a session cookie exists, initialize the session. Otherwise the
// session is only started on demand in save(), making
// anonymous users not use a session cookie unless something is stored in
@ -144,10 +132,6 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter
// default php session id instead of generating a custom one:
// https://www.drupal.org/node/2238561
$this->setId(Crypt::randomBytesBase64());
if ($is_https && $this->isMixedMode()) {
$session_id = Crypt::randomBytesBase64();
$cookies->set($insecure_session_name, $session_id);
}
// Initialize the session global and attach the Symfony session bags.
$_SESSION = array();
@ -214,13 +198,6 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter
// started.
if (!$this->getSaveHandler()->isActive()) {
$this->startNow();
if ($this->requestStack->getCurrentRequest()->isSecure() && $this->isMixedMode()) {
$insecure_session_name = $this->getInsecureName();
$params = session_get_cookie_params();
$expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
$cookie_params = $this->requestStack->getCurrentRequest()->cookies;
setcookie($insecure_session_name, $cookie_params->get($insecure_session_name), $expire, $params['path'], $params['domain'], FALSE, $params['httponly']);
}
}
// Write the session data.
parent::save();
@ -246,22 +223,6 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter
throw new \InvalidArgumentException('The optional parameters $destroy and $lifetime of SessionManager::regenerate() are not supported currently');
}
$is_https = $this->requestStack->getCurrentRequest()->isSecure();
$cookies = $this->requestStack->getCurrentRequest()->cookies;
$insecure_session_id = '';
if ($is_https && $this->isMixedMode()) {
$insecure_session_name = $this->getInsecureName();
$params = session_get_cookie_params();
$insecure_session_id = Crypt::randomBytesBase64();
// If a session cookie lifetime is set, the session will expire
// $params['lifetime'] seconds from the current request. If it is not set,
// it will expire when the browser is closed.
$expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
setcookie($insecure_session_name, $insecure_session_id, $expire, $params['path'], $params['domain'], FALSE, $params['httponly']);
$cookies->set($insecure_session_name, $insecure_session_id);
}
if ($this->isStarted()) {
$old_session_id = $this->getId();
}
@ -273,7 +234,7 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter
$params = session_get_cookie_params();
$expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
setcookie($this->getName(), $this->getId(), $expire, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
$this->migrateStoredSession($old_session_id, $is_https, $insecure_session_id);
$this->migrateStoredSession($old_session_id);
}
if (!$this->isStarted()) {
@ -323,27 +284,6 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter
return $this;
}
/**
* {@inheritdoc}
*/
public function isMixedMode() {
return $this->mixedMode;
}
/**
* {@inheritdoc}
*/
public function setMixedMode($mixed_mode) {
$this->mixedMode = (bool) $mixed_mode;
}
/**
* {@inheritdoc}
*/
public function getInsecureName() {
return substr($this->getName(), 1);
}
/**
* Returns whether the current PHP process runs on CLI.
*
@ -401,25 +341,12 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter
* @param string $old_session_id
* The old session id. The new session id is $this->getId() unless
* $new_insecure_session_id is not empty.
* @param bool $is_https
* Whether this is a HTTPS request.
* @param string $new_insecure_session_id
* If this is a HTTPS request and we are in mixed mode, this is the new
* insecure session id. The secure session id is $this->getId().
*/
protected function migrateStoredSession($old_session_id, $is_https, $new_insecure_session_id) {
protected function migrateStoredSession($old_session_id) {
$fields = array('sid' => Crypt::hashBase64($this->getId()));
if ($is_https) {
$fields['ssid'] = $fields['sid'];
// If the "secure pages" setting is enabled, use the newly-created
// insecure session identifier as the regenerated sid.
if ($this->isMixedMode()) {
$fields['sid'] = Crypt::hashBase64($new_insecure_session_id);
}
}
$this->connection->update('sessions')
->fields($fields)
->condition($is_https ? 'ssid' : 'sid', Crypt::hashBase64($old_session_id))
->condition('sid', Crypt::hashBase64($old_session_id))
->execute();
}

24
core/lib/Drupal/Core/Session/SessionManagerInterface.php
View File

@ -50,28 +50,4 @@ interface SessionManagerInterface extends SessionStorageInterface {
*/
public function enable();
/**
* Returns whether mixed mode SSL sessions are enabled in the session manager.
*
* @return bool
* Value of the mixed mode SSL sessions flag.
*/
public function isMixedMode();
/**
* Enables or disables mixed mode SSL sessions in the session manager.
*
* @param bool $mixed_mode
* New value for the mixed mode SSL sessions flag.
*/
public function setMixedMode($mixed_mode);
/**
* Returns the name of the insecure session when operating in mixed mode SSL.
*
* @return string
* The name of the insecure session.
*/
public function getInsecureName();
}

9
core/lib/Drupal/Core/Url.php
View File

@ -120,8 +120,7 @@ class Url {
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
* respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS
* and FALSE enforces HTTP.
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
*
* @see static::fromRoute()
* @see static::fromUri()
@ -161,8 +160,7 @@ class Url {
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
* respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS
* and FALSE enforces HTTP.
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
*
* @return \Drupal\Core\Url
* A new Url object for a routed (internal to Drupal) URL.
@ -216,8 +214,7 @@ class Url {
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
* respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS
* and FALSE enforces HTTP.
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
*
* @return \Drupal\Core\Url
* A new Url object for an unrouted (non-Drupal) URL.

3
core/lib/Drupal/Core/Utility/UnroutedUrlAssemblerInterface.php
View File

@ -44,8 +44,7 @@ interface UnroutedUrlAssemblerInterface {
* displayed outside the site, such as in an RSS feed.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP, but HTTPS can
* only be enforced when the variable 'https' is set to TRUE.
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
*
* @return
* A string containing a relative or absolute URL.

15
core/modules/language/src/HttpKernel/PathProcessorLanguage.php
View File

@ -11,7 +11,6 @@ use Drupal\Component\Utility\Unicode;
use Drupal\Core\Config\ConfigFactoryInterface;
use Drupal\Core\PathProcessor\InboundPathProcessorInterface;
use Drupal\Core\PathProcessor\OutboundPathProcessorInterface;
use Drupal\Core\Site\Settings;
use Drupal\language\ConfigurableLanguageManagerInterface;
use Drupal\language\LanguageNegotiatorInterface;
use Symfony\Component\HttpFoundation\Request;
@ -29,13 +28,6 @@ class PathProcessorLanguage implements InboundPathProcessorInterface, OutboundPa
*/
protected $config;
/**
* Whether both secure and insecure session cookies can be used simultaneously.
*
* @var bool
*/
protected $mixedModeSessions;
/**
* Language manager for retrieving the url language type.
*
@ -69,8 +61,6 @@ class PathProcessorLanguage implements InboundPathProcessorInterface, OutboundPa
*
* @param \Drupal\Core\Config\ConfigFactoryInterface $config
* A config factory object for retrieving configuration settings.
* @param \Drupal\Core\Site\Settings $settings
* The settings instance.
* @param \Drupal\language\ConfigurableLanguageManagerInterface $language_manager
* The configurable language manager.
* @param \Drupal\language\LanguageNegotiatorInterface
@ -78,9 +68,8 @@ class PathProcessorLanguage implements InboundPathProcessorInterface, OutboundPa
* @param \Drupal\Core\Session\AccountInterface $current_user
* The current active user.
*/
public function __construct(ConfigFactoryInterface $config, Settings $settings, ConfigurableLanguageManagerInterface $language_manager, LanguageNegotiatorInterface $negotiator, AccountInterface $current_user) {
public function __construct(ConfigFactoryInterface $config, ConfigurableLanguageManagerInterface $language_manager, LanguageNegotiatorInterface $negotiator, AccountInterface $current_user) {
$this->config = $config;
$this->mixedModeSessions = $settings->get('mixed_mode_sessions', FALSE);
$this->languageManager = $language_manager;
$this->negotiator = $negotiator;
$this->negotiator->setCurrentUser($current_user);
@ -115,8 +104,6 @@ class PathProcessorLanguage implements InboundPathProcessorInterface, OutboundPa
if (!isset($this->processors[$scope])) {
$this->initProcessors($scope);
}
// Execute outbound language processors.
$options['mixed_mode_sessions'] = $this->mixedModeSessions;
foreach ($this->processors[$scope] as $instance) {
$path = $instance->processOutbound($path, $options, $request);
}

1
core/modules/language/src/LanguageServiceProvider.php
View File

@ -37,7 +37,6 @@ class LanguageServiceProvider extends ServiceProviderBase {
->addTag('path_processor_inbound', array('priority' => 300))
->addTag('path_processor_outbound', array('priority' => 100))
->addArgument(new Reference('config.factory'))
->addArgument(new Reference('settings'))
->addArgument(new Reference('language_manager'))
->addArgument(new Reference('language_negotiator'))
->addArgument(new Reference('current_user'));

2
core/modules/language/src/Plugin/LanguageNegotiation/LanguageNegotiationUrl.php
View File

@ -169,7 +169,7 @@ class LanguageNegotiationUrl extends LanguageNegotiationMethodBase implements In
$options['base_url'] .= ':' . $port;
}
if (isset($options['https']) && !empty($options['mixed_mode_sessions'])) {
if (isset($options['https'])) {
if ($options['https'] === TRUE) {
$options['base_url'] = str_replace('http://', 'https://', $options['base_url']);
}

4
core/modules/language/src/Tests/LanguageUILanguageNegotiationTest.php
View File

@ -468,13 +468,9 @@ class LanguageUILanguageNegotiationTest extends WebTestBase {
$this->assertEqual($italian_url, $correct_link, format_string('The _url() function returns the right URL (@url) in accordance with the chosen language', array('@url' => $italian_url)));
// Test HTTPS via options.
$this->settingsSet('mixed_mode_sessions', TRUE);
$this->rebuildContainer();
$italian_url = _url('admin', array('https' => TRUE, 'language' => $languages['it'], 'script' => ''));
$correct_link = 'https://' . $link;
$this->assertTrue($italian_url == $correct_link, format_string('The _url() function returns the right HTTPS URL (via options) (@url) in accordance with the chosen language', array('@url' => $italian_url)));
$this->settingsSet('mixed_mode_sessions', FALSE);
// Test HTTPS via current URL scheme.
$request = Request::create('', 'GET', array(), array(), array(), array('HTTPS' => 'on'));

192
core/modules/system/src/Tests/Session/SessionHttpsTest.php
View File

@ -64,7 +64,7 @@ class SessionHttpsTest extends WebTestBase {
// Check insecure cookie is not set.
$this->assertFalse(isset($this->cookies[$insecure_session_name]));
$ssid = $this->cookies[$secure_session_name]['value'];
$this->assertSessionIds($ssid, $ssid, 'Session has a non-empty SID and a correct secure SID.');
$this->assertSessionIds($ssid, 'Session has a non-empty SID and a correct secure SID.');
$cookie = $secure_session_name . '=' . $ssid;
// Verify that user is logged in on secure URL.
@ -109,196 +109,11 @@ class SessionHttpsTest extends WebTestBase {
$this->cookies = array();
}
/**
* Tests sessions in SSL mixed mode.
*/
protected function testMixedModeSslSession() {
if ($this->request->isSecure()) {
// The functionality does not make sense when running on HTTPS.
return;
}
else {
$secure_session_name = 'S' . $this->getSessionName();
$insecure_session_name = $this->getSessionName();
}
// Enable secure pages.
$this->settingsSet('mixed_mode_sessions', TRUE);
// Write that value also into the test settings.php file.
$settings['settings']['mixed_mode_sessions'] = (object) array(
'value' => TRUE,
'required' => TRUE,
);
$this->writeSettings($settings);
$user = $this->drupalCreateUser(array('access administration pages'));
$this->curlClose();
// Start an anonymous session on the insecure site.
$session_data = $this->randomMachineName();
$this->drupalGet('session-test/set/' . $session_data);
// Check secure cookie on insecure page.
$this->assertFalse(isset($this->cookies[$secure_session_name]), 'The secure cookie is not sent on insecure pages.');
// Check insecure cookie on insecure page.
$this->assertFalse($this->cookies[$insecure_session_name]['secure'], 'The insecure cookie does not have the secure attribute');
// Store the anonymous cookie so we can validate that its session is killed
// after login.
$anonymous_cookie = $insecure_session_name . '=' . $this->cookies[$insecure_session_name]['value'];
// Check that password request form action is not secure.
$this->drupalGet('user/password');
$form = $this->xpath('//form[@id="user-pass"]');
$this->assertNotEqual(substr($form[0]['action'], 0, 6), 'https:', 'Password request form action is not secure');
$form[0]['action'] = $this->httpsUrl('user/login');
// Check that user login form action is secure.
$this->drupalGet('user/login');
$form = $this->xpath('//form[@id="user-login-form"]');
$this->assertEqual(substr($form[0]['action'], 0, 6), 'https:', 'Login form action is secure');
$form[0]['action'] = $this->httpsUrl('user/login');
$edit = array(
'name' => $user->getUsername(),
'pass' => $user->pass_raw,
);
$this->drupalPostForm(NULL, $edit, t('Log in'));
// Check secure cookie on secure page.
$this->assertTrue($this->cookies[$secure_session_name]['secure'], 'The secure cookie has the secure attribute');
// Check insecure cookie on secure page.
$this->assertFalse($this->cookies[$insecure_session_name]['secure'], 'The insecure cookie does not have the secure attribute');
$sid = $this->cookies[$insecure_session_name]['value'];
$ssid = $this->cookies[$secure_session_name]['value'];
$this->assertSessionIds($sid, $ssid, 'Session has both secure and insecure SIDs');
$cookies = array(
'http' => $insecure_session_name . '=' . $sid,
'https' => $secure_session_name . '=' . $ssid,
);
// Test that session data saved before login is still available on the
// authenticated session.
$this->drupalGet('session-test/get');
$this->assertText($session_data, 'Session correctly returned the stored data set by the anonymous session.');
foreach ($cookies as $cookie_key => $cookie) {
foreach (array('http' => 'admin/config', 'https' => $this->httpsUrl('admin/config')) as $url_key => $url) {
$this->curlClose();
// The HTTPS setting needs to be set correctly on the request for the
// URL generator to work.
$this->request->server->set('HTTPS', $url_key == 'https' ? 'on' : 'off');
$this->drupalGet($url, array(), array('Cookie: ' . $cookie));
if ($cookie_key == $url_key) {
$this->assertText(t('Configuration'));
$this->assertResponse(200);
}
else {
$this->assertNoText(t('Configuration'));
$this->assertResponse(403);
}
}
}
// Test that session data saved before login is not available using the
// pre-login anonymous cookie.
$this->cookies = array();
$this->drupalGet('session-test/get', array(), array('Cookie: ' . $anonymous_cookie));
$this->assertNoText($session_data, 'Initial anonymous session is inactive after login.');
// Clear browser cookie jar.
$this->cookies = array();
// Start an anonymous session on the secure site.
$this->drupalGet($this->httpsUrl('session-test/set/1'));
// Mock a login to the secure site using the secure session cookie.
$this->drupalGet('user/login');
$form = $this->xpath('//form[@id="user-login-form"]');
$form[0]['action'] = $this->httpsUrl('user/login');
$this->drupalPostForm(NULL, $edit, t('Log in'));
// Test that the user is also authenticated on the insecure site.
$this->drupalGet("user/" . $user->id() . "/edit");
$this->assertResponse(200);
}
/**
* Ensure that a CSRF form token is shared in SSL mixed mode.
*/
protected function testCsrfTokenWithMixedModeSsl() {
if ($this->request->isSecure()) {
$secure_session_name = $this->getSessionName();
$insecure_session_name = substr($this->getSessionName(), 1);
}
else {
$secure_session_name = 'S' . $this->getSessionName();
$insecure_session_name = $this->getSessionName();
}
// Enable mixed mode SSL.
$this->settingsSet('mixed_mode_sessions', TRUE);
// Write that value also into the test settings.php file.
$settings['settings']['mixed_mode_sessions'] = (object) array(
'value' => TRUE,
'required' => TRUE,
);
$this->writeSettings($settings);
$user = $this->drupalCreateUser(array('access administration pages'));
// Login using the HTTPS user-login form.
$this->drupalGet('user/login');
$form = $this->xpath('//form[@id="user-login-form"]');
$form[0]['action'] = $this->httpsUrl('user/login');
$edit = array('name' => $user->getUsername(), 'pass' => $user->pass_raw);
$this->drupalPostForm(NULL, $edit, t('Log in'));
// Collect session id cookies.
$sid = $this->cookies[$insecure_session_name]['value'];
$ssid = $this->cookies[$secure_session_name]['value'];
$this->assertSessionIds($sid, $ssid, 'Session has both secure and insecure SIDs');
// Retrieve the form via HTTP.
$this->curlClose();
$this->drupalGet($this->httpUrl('session-test/form'), array(), array('Cookie: ' . $insecure_session_name . '=' . $sid));
$http_token = $this->getFormToken();
// Verify that submitting form values via HTTPS to a form originally
// retrieved over HTTP works.
$form = $this->xpath('//form[@id="session-test-form"]');
$form[0]['action'] = $this->httpsUrl('session-test/form');
$edit = array('input' => $this->randomMachineName(32));
$this->curlClose();
$this->drupalPostForm(NULL, $edit, 'Save', array('Cookie: ' . $secure_session_name . '=' . $ssid));
$this->assertText(String::format('Ok: @input', array('@input' => $edit['input'])));
// Retrieve the same form via HTTPS.
$this->curlClose();
$this->drupalGet($this->httpsUrl('session-test/form'), array(), array('Cookie: ' . $secure_session_name . '=' . $ssid));
$https_token = $this->getFormToken();
// Verify that CSRF token values are the same for a form regardless of
// whether it was accessed via HTTP or HTTPS when SSL mixed mode is enabled.
$this->assertEqual($http_token, $https_token, 'Form token is the same on HTTP as well as HTTPS form');
}
/**
* Return the token of the current form.
*/
protected function getFormToken() {
$token_fields = $this->xpath('//input[@name="form_token"]');
$this->assertEqual(count($token_fields), 1, 'One form token field on the page');
return (string) $token_fields[0]['value'];
}
/**
* Test that there exists a session with two specific session IDs.
*
* @param $sid
* The insecure session ID to search for.
* @param $ssid
* The secure session ID to search for.
* @param $assertion_text
* The text to display when we perform the assertion.
*
@ -306,12 +121,11 @@ class SessionHttpsTest extends WebTestBase {
* The result of assertTrue() that there's a session in the system that
* has the given insecure and secure session IDs.
*/
protected function assertSessionIds($sid, $ssid, $assertion_text) {
protected function assertSessionIds($sid, $assertion_text) {
$args = array(
':sid' => Crypt::hashBase64($sid),
':ssid' => !empty($ssid) ? Crypt::hashBase64($ssid) : '',
);
return $this->assertTrue(db_query('SELECT timestamp FROM {sessions} WHERE sid = :sid AND ssid = :ssid', $args)->fetchField(), $assertion_text);
return $this->assertTrue(db_query('SELECT timestamp FROM {sessions} WHERE sid = :sid', $args)->fetchField(), $assertion_text);
}
/**

9
core/modules/system/system.install
View File

@ -924,13 +924,6 @@ function system_schema() {
'length' => 128,
'not null' => TRUE,
),
'ssid' => array(
'description' => "Secure session ID (hashed). The value is generated by Drupal's session handlers.",
'type' => 'varchar',
'length' => 128,
'not null' => TRUE,
'default' => '',
),
'hostname' => array(
'description' => 'The IP address that last used this session ID (sid).',
'type' => 'varchar',
@ -953,12 +946,10 @@ function system_schema() {
),
'primary key' => array(
'sid',
'ssid',
),
'indexes' => array(
'timestamp' => array('timestamp'),
'uid' => array('uid'),
'ssid' => array('ssid'),
),
'foreign keys' => array(
'session_user' => array(

2
core/modules/system/system.module
View File

@ -432,8 +432,6 @@ function system_authorized_init($callback, $file, $arguments = array(), $page_ti
*/
function system_authorized_get_url(array $options = array()) {
global $base_url;
// Force HTTPS if available, regardless of what the caller specifies.
$options['https'] = TRUE;
// Prefix with $base_url so url() treats it as an external link.
$url = Url::fromUri('base://core/authorize.php');
$url_options = $url->getOptions();

7
core/modules/system/tests/modules/session_test/session_test.module
View File

@ -10,10 +10,3 @@ function session_test_user_login($account) {
exit;
}
}
/**
* Implements hook_form_FORM_ID_alter().
*/
function session_test_form_user_login_form_alter(&$form) {
$form['#https'] = TRUE;
}

3
core/tests/Drupal/Tests/Core/PathProcessor/PathProcessorTest.php
View File

@ -13,7 +13,6 @@ use Drupal\Core\PathProcessor\PathProcessorAlias;
use Drupal\Core\PathProcessor\PathProcessorDecode;
use Drupal\Core\PathProcessor\PathProcessorFront;
use Drupal\Core\PathProcessor\PathProcessorManager;
use Drupal\Core\Site\Settings;
use Drupal\language\HttpKernel\PathProcessorLanguage;
use Drupal\language\Plugin\LanguageNegotiation\LanguageNegotiationUrl;
use Symfony\Component\HttpFoundation\Request;
@ -151,7 +150,7 @@ class PathProcessorTest extends UnitTestCase {
$alias_processor = new PathProcessorAlias($alias_manager);
$decode_processor = new PathProcessorDecode();
$front_processor = new PathProcessorFront($config_factory_stub);
$language_processor = new PathProcessorLanguage($config_factory_stub, new Settings(array()), $this->languageManager, $negotiator, $current_user);
$language_processor = new PathProcessorLanguage($config_factory_stub, $this->languageManager, $negotiator, $current_user);
// First, test the processor manager with the processors in the incorrect
// order. The alias processor will run before the language processor, meaning

22
core/tests/Drupal/Tests/Core/Routing/UrlGeneratorTest.php
View File

@ -11,7 +11,6 @@ use Drupal\Core\PathProcessor\PathProcessorAlias;
use Drupal\Core\PathProcessor\PathProcessorManager;
use Drupal\Core\Routing\RequestContext;
use Drupal\Core\Routing\UrlGenerator;
use Drupal\Core\Site\Settings;
use Drupal\Tests\UnitTestCase;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack;
@ -32,13 +31,6 @@ class UrlGeneratorTest extends UnitTestCase {
*/
protected $generator;
/**
* A second url generator to test, set to assume mixed-mode sessions.
*
* @var \Drupal\Core\Routing\UrlGenerator
*/
protected $generatorMixedMode;
/**
* The alias manager.
*
@ -137,14 +129,9 @@ class UrlGeneratorTest extends UnitTestCase {
$config_factory_stub = $this->getConfigFactoryStub(array('system.filter' => array('protocols' => array('http', 'https'))));
$generator = new UrlGenerator($provider, $processor_manager, $this->routeProcessorManager, $config_factory_stub, new Settings(array()), NULL, $this->requestStack);
$generator = new UrlGenerator($provider, $processor_manager, $this->routeProcessorManager, $config_factory_stub, NULL, $this->requestStack);
$generator->setContext($context);
$this->generator = $generator;
// Second generator for mixed-mode sessions.
$generator = new UrlGenerator($provider, $processor_manager, $this->routeProcessorManager, $config_factory_stub, new Settings(array('mixed_mode_sessions' => TRUE)), NULL, $this->requestStack);
$generator->setContext($context);
$this->generatorMixedMode = $generator;
}
/**
@ -310,17 +297,12 @@ class UrlGeneratorTest extends UnitTestCase {
$url = $this->generator->generate('test_4', array(), TRUE);
$this->assertEquals('https://localhost/test/four', $url);
$this->routeProcessorManager->expects($this->exactly(2))
$this->routeProcessorManager->expects($this->exactly(1))
->method('processOutbound')
->with($this->anything());
$options = array('absolute' => TRUE, 'https' => TRUE);
// Mixed-mode sessions are not enabled, so the https option is ignored.
$url = $this->generator->generateFromRoute('test_1', array(), $options);
$this->assertEquals('http://localhost/hello/world', $url);
// Mixed-mode sessions are enabled, so the https option is obeyed.
$url = $this->generatorMixedMode->generateFromRoute('test_1', array(), $options);
$this->assertEquals('https://localhost/hello/world', $url);
}

8
sites/default/default.settings.php
View File

@ -413,14 +413,6 @@ if ($settings['hash_salt']) {
*/
# $settings['allow_authorize_operations'] = FALSE;
/**
* Mixed-mode sessions:
*
* Set to TRUE to create both secure and insecure sessions when using HTTPS.
* Defaults to FALSE.
*/
# $settings['mixed_mode_sessions'] = TRUE;
/**
* Default mode for for directories and files written by Drupal.
*