From 7014f3da6894bea50c9da26b692aa377849af436 Mon Sep 17 00:00:00 2001
From: osaajani <>
Date: Mon, 29 May 2023 21:53:09 +0200
Subject: [PATCH] clean http_pwd forging

---
 descartes/env.php | 46 +++++++++++++++++-----------------------------
 1 file changed, 17 insertions(+), 29 deletions(-)

diff --git a/descartes/env.php b/descartes/env.php
index 4ac01a2..c512901 100644
--- a/descartes/env.php
+++ b/descartes/env.php
@@ -5,40 +5,28 @@
      * Define Descartes env
      */
     $http_dir_path = '/raspisms'; //Path we need to put after servername in url to access app
+    $https = $_SERVER['HTTPS'] ?? 0;
 
-    if ((isset($_SERVER['HTTPS']) && (($_SERVER['HTTPS'] == 'on') || ($_SERVER['HTTPS'] == '1'))) || (isset($_SERVER['HTTPS']) &&    $_SERVER['SERVER_PORT'] == 443)) {
-        // Our server uses HTTPS
-        $https = true;
-        $http_proxy = false;
-        $http_protocol = 'https://';
-    } elseif (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' || !empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') {
-        // We are behind a HTTPS proxy
-        $https = true;
-        $http_proxy = true;
-        $http_protocol = 'https://';
-        // Don't bother to advertise port behind a proxy server
-    } else {
-        // Standard HTTP
-        $https = false;
-        $http_proxy = false;
-        $http_protocol = 'http://';
-    }
-
-    $http_server_name = isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : 'localhost';
-
-    if (!isset($_SERVER['SERVER_PORT']) || ($_SERVER['SERVER_PORT'] == 80 && !$https) || ($_SERVER['SERVER_PORT'] == 443 && $https) || $http_proxy)
+    // Check for proxy forward
+    $forwarded_https = ($_SERVER['HTTP_X_FORWARDED_PROTO'] ?? $_SERVER['HTTP_FORWARDED_PROTO'] ?? NULL) == 'https';
+    $forwarded_ssl = ($_SERVER['HTTP_X_FORWARDED_SSL'] ?? NULL) == 'on';
+    $proxy = $forwarded_https || $forwarded_ssl;
+    
+    $http_protocol = 'http://';
+    if ($https)
     {
-        $http_server_port = '';
-    }
-    else
-    {
-        $http_server_port = ':' . $_SERVER['SERVER_PORT'];
+        $http_protocol = 'https://';
     }
 
-    $pwd = substr(__DIR__, 0, strrpos(__DIR__, '/'));
-    $http_pwd = $http_protocol . $http_server_name . $http_server_port . $http_dir_path;
-
+    $http_server_name = $_SERVER['SERVER_NAME'] ?? 'localhost';
 
+    // Check port to only set it if not default port
+    $port = $_SERVER['SERVER_PORT'] ?? '';
+    $port = ($port == 80 && !$https) ? '' : $port;
+    $port = ($port == 443 && $https) ? '' : $port;
+    $port = $proxy ? '' : $port;
+    $http_server_port = $port ? ':' . $port : '';
+    
 
     $pwd = substr(__DIR__, 0, strrpos(__DIR__, '/'));
     $http_pwd = $http_protocol . $http_server_name . $http_server_port . $http_dir_path;