CodeExplorer
You are a developer and looking for Shopware projects?
Apply Now!
isSecure example
$nonce = base64_encode(random_bytes(8));
$event->getRequest()->attributes->set(PlatformRequest::ATTRIBUTE_CSP_NONCE, $nonce);
}
public function setSecurityHeaders(ResponseEvent $event): void
{
if (!$event->getResponse()->isSuccessful()) {
return;
}
$response = $event->getResponse();
if ($event->getRequest()->isSecure()) {
$response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
}
$response->headers->set('X-Frame-Options', 'deny');
$response->headers->set('X-Content-Type-Options', 'nosniff');
$response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
$cspTemplate = $this->cspTemplates['default'] ?? '';
$scopes = $event->getRequest()->attributes->get(PlatformRequest::ATTRIBUTE_ROUTE_SCOPE, []);
foreach ($scopes as $scope) {
$event->getRequest()->attributes->set(PlatformRequest::ATTRIBUTE_CSP_NONCE, $nonce);
}
public function setSecurityHeaders(ResponseEvent $event): void
{
if (!$event->getResponse()->isSuccessful()) {
return;
}
$response = $event->getResponse();
if ($event->getRequest()->isSecure()) {
$response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
}
$response->headers->set('X-Frame-Options', 'deny');
$response->headers->set('X-Content-Type-Options', 'nosniff');
$response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
$cspTemplate = $this->cspTemplates['default'] ?? '';
$scopes = $event->getRequest()->attributes->get(PlatformRequest::ATTRIBUTE_ROUTE_SCOPE, []);
foreach ($scopes as $scope) {
use Shopware\Components\Routing\PostFilterInterface;
class FrontendPostFilter implements PostFilterInterface
{
/** * {@inheritdoc} */
public function postFilter($url, Context $context)
{
$params = $context->getParams();
if ($this->isFullPath($params)) {
$url = ($context->isSecure() ? 'https://' : 'http://')
. $context->getHost()
. $context->getBaseUrl()
. '/' . $url;
}
return $url;
}
/** * @return bool */
class FrontendPostFilter implements PostFilterInterface
{
/** * {@inheritdoc} */
public function postFilter($url, Context $context)
{
$params = $context->getParams();
if ($this->isFullPath($params)) {
$url = ($context->isSecure() ? 'https://' : 'http://')
. $context->getHost()
. $context->getBaseUrl()
. '/' . $url;
}
return $url;
}
/** * @return bool */
return $request->getBasePath();
}
public function isSecure(): bool
{
if (!$request = $this->requestStack->getMainRequest()) {
return $this->secure;
}
return $request->isSecure();
}
}
protected function configure()
{
ini_set('session.name', $this->config->cookieName);
$sameSite = $this->cookie->getSameSite() ?: ucfirst(Cookie::SAMESITE_LAX);
$params = [
'lifetime' => $this->config->expiration,
'path' => $this->cookie->getPath(),
'domain' => $this->cookie->getDomain(),
'secure' => $this->cookie->isSecure(),
'httponly' => true, // HTTP only; Yes, this is intentional and not configurable for security reasons. 'samesite' => $sameSite,
];
ini_set('session.cookie_samesite', $sameSite);
session_set_cookie_params($params);
if ($this->config->expiration > 0) {
ini_set('session.gc_maxlifetime', (string) $this->config->expiration);
}
private function createFallbackMediaUrl()
{
$request = $this->container->get('front')->Request();
if ($request && $request->getHttpHost()) {
return ($request->isSecure() ? 'https' : 'http') . '://' . $request->getHttpHost() . $request->getBasePath() . '/';
}
if ($this->container->initialized('shop')) {
$shop = $this->container->get('shop');
} else {
$shop = $this->container->get(ModelManager::class)->getRepository(Shop::class)->getActiveDefault();
}
if ($shop->getMain()) {
$shop = $shop->getMain();
}
public function getPluginInformation(Response $response, Request $request)
{
if (!$this->isPluginsSubscriptionCookieValid($request)) {
return false;
}
try {
$cookie = new Cookie('lastCheckSubscriptionDate', date('dmY'), time() + 60 * 60 * 24, '/', null, $request->isSecure());
$response->headers->setCookie($cookie);
return $this->getPluginInformationFromApi();
} catch (ShopSecretException $e) {
$this->exception = $e;
$this->resetShopSecret();
return false;
} catch (Exception $e) {
$this->exception = $e;
$data['vars']['post'][esc($name)] = is_array($value) ? '<pre>' . esc(print_r($value, true)) . '</pre>' : esc($value);
}
foreach ($request->headers() as $header) {
$data['vars']['headers'][esc($header->getName())] = esc($header->getValueLine());
}
foreach ($request->getCookie() as $name => $value) {
$data['vars']['cookies'][esc($name)] = esc($value);
}
$data['vars']['request'] = ($request->isSecure() ? 'HTTPS' : 'HTTP') . '/' . $request->getProtocolVersion();
$data['vars']['response'] = [
'statusCode' => $response->getStatusCode(),
'reason' => esc($response->getReasonPhrase()),
'contentType' => esc($response->getHeaderLine('content-type')),
'headers' => [],
];
foreach ($response->headers() as $header) {
$data['vars']['response']['headers'][esc($header->getName())] = esc($header->getValueLine());
}
}
foreach ($request->headers() as $header) {
$data['vars']['headers'][esc($header->getName())] = esc($header->getValueLine());
}
foreach ($request->getCookie() as $name => $value) {
$data['vars']['cookies'][esc($name)] = esc($value);
}
$data['vars']['request'] = ($request->isSecure() ? 'HTTPS' : 'HTTP') . '/' . $request->getProtocolVersion();
$data['vars']['response'] = [
'statusCode' => $response->getStatusCode(),
'reason' => esc($response->getReasonPhrase()),
'contentType' => esc($response->getHeaderLine('content-type')),
'headers' => [],
];
foreach ($response->headers() as $header) {
$data['vars']['response']['headers'][esc($header->getName())] = esc($header->getValueLine());
}
/**
* {@inheritdoc}
*/
public function buildForm(array $form, FormStateInterface $form_state) {
// Get all the available ways to transfer files. $available_backends = $this->getRequest()->getSession()->get('authorize_filetransfer_info', []);
if (empty($available_backends)) {
$this->messenger()->addError($this->t('Unable to continue, no available methods of file transfer'));
return [];
}
if (!$this->getRequest()->isSecure()) {
$form['information']['https_warning'] = [
'#prefix' => '<div class="messages messages--error">',
'#markup' => $this->t('WARNING: You are not using an encrypted connection, so your password will be sent in plain text. <a href=":https-link">Learn more</a>.', [':https-link' => 'https://www.drupal.org/https-information']),
'#suffix' => '</div>',
];
}
// Decide on a default backend. $authorize_filetransfer_default = $form_state->getValue(['connection_settings', 'authorize_filetransfer_default']);
if (!$authorize_filetransfer_default) {
$authorize_filetransfer_default = key($available_backends);
}
public function buildForm(array $form, FormStateInterface $form_state) {
// Get all the available ways to transfer files. $available_backends = $this->getRequest()->getSession()->get('authorize_filetransfer_info', []);
if (empty($available_backends)) {
$this->messenger()->addError($this->t('Unable to continue, no available methods of file transfer'));
return [];
}
if (!$this->getRequest()->isSecure()) {
$form['information']['https_warning'] = [
'#prefix' => '<div class="messages messages--error">',
'#markup' => $this->t('WARNING: You are not using an encrypted connection, so your password will be sent in plain text. <a href=":https-link">Learn more</a>.', [':https-link' => 'https://www.drupal.org/https-information']),
'#suffix' => '</div>',
];
}
// Decide on a default backend. $authorize_filetransfer_default = $form_state->getValue(['connection_settings', 'authorize_filetransfer_default']);
if (!$authorize_filetransfer_default) {
$authorize_filetransfer_default = key($available_backends);
}
return;
}
if ($restoreData) {
$controller->Response()->headers->setCookie(
new Cookie(
$restoreData->getSessionName(),
$restoreData->getValue(),
0,
\ini_get('session.cookie_path'),
null,
$request->isSecure()
)
);
}
$params = $request->getParams();
unset($params[PaymentTokenService::TYPE_PAYMENT_TOKEN]);
$controller->redirect($params);
}
}
}
if ($restoreData) {
$controller->Response()->headers->setCookie(
new Cookie(
$restoreData->getSessionName(),
$restoreData->getValue(),
0,
\ini_get('session.cookie_path'),
null,
$request->isSecure()
)
);
}
$params = $request->getParams();
unset($params[PaymentTokenService::TYPE_PAYMENT_TOKEN]);
$controller->redirect($params);
}
}
// We need to allow it on login, otherwise the state is wrong
if (!($route === 'frontend.account.login' || $request->getMethod() === Request::METHOD_GET)) {
return;
}
if ($context->getCustomer() || $cart->getLineItems()->count() > 0) {
$newValue = $this->buildCacheHash($context);
if ($request->cookies->get(self::CONTEXT_CACHE_COOKIE, '') !== $newValue) {
$cookie = Cookie::create(self::CONTEXT_CACHE_COOKIE, $newValue);
$cookie->setSecureDefault($request->isSecure());
$response->headers->setCookie($cookie);
}
} elseif ($request->cookies->has(self::CONTEXT_CACHE_COOKIE)) {
$response->headers->removeCookie(self::CONTEXT_CACHE_COOKIE);
$response->headers->clearCookie(self::CONTEXT_CACHE_COOKIE);
}
/** @var bool|array{maxAge?: int, states?: list<string>}|null $cache */
$cache = $request->attributes->get(PlatformRequest::ATTRIBUTE_HTTP_CACHE);
if (!$cache) {
return;
}
if ($context->getCustomer() || $cart->getLineItems()->count() > 0) {
$newValue = $this->buildCacheHash($context);
if ($request->cookies->get(self::CONTEXT_CACHE_COOKIE, '') !== $newValue) {
$cookie = Cookie::create(self::CONTEXT_CACHE_COOKIE, $newValue);
$cookie->setSecureDefault($request->isSecure());
$response->headers->setCookie($cookie);
}
} elseif ($request->cookies->has(self::CONTEXT_CACHE_COOKIE)) {
$response->headers->removeCookie(self::CONTEXT_CACHE_COOKIE);
$response->headers->clearCookie(self::CONTEXT_CACHE_COOKIE);
}
/** @var bool|array{maxAge?: int, states?: list<string>}|null $cache */
$cache = $request->attributes->get(PlatformRequest::ATTRIBUTE_HTTP_CACHE);
if (!$cache) {
return NULL;
}
/** * {@inheritdoc} */
public function buildConfigurationForm(array $form, FormStateInterface $form_state) {
$form = parent::buildConfigurationForm($form, $form_state);
$domain = $this->configFactory->get('media.settings')->get('iframe_domain');
if (!$this->iFrameUrlHelper->isSecure($domain)) {
array_unshift($form, [
'#markup' => '<p>' . $this->t('It is potentially insecure to display oEmbed content in a frame that is served from the same domain as your main Drupal site, as this may allow execution of third-party code. <a href=":url">You can specify a different domain for serving oEmbed content in the Media settings</a>.', [
':url' => Url::fromRoute('media.settings')->setAbsolute()->toString(),
]) . '</p>',
]);
}
$form['thumbnails_directory'] = [
'#type' => 'textfield',
'#title' => $this->t('Thumbnails location'),
'#default_value' => $this->configuration['thumbnails_directory'],
static::assertTrue($app->getRequest()->server->has('good'));
static::assertFalse($app->getRequest()->server->has('bad'));
}
public function testHttpsRequest(): void
{
$orgRequest = new Request();
$orgRequest->server->set('HTTPS', '1');
$orgRequest->server->set('SERVER_NAME', 'localhost');
$orgRequest->server->set('SERVER_PORT', '443');
static::assertTrue($orgRequest->isSecure());
$appVariable = $this->createMock(AppVariable::class);
$appVariable->method('getRequest')->willReturn($orgRequest);
$app = new TwigAppVariable($appVariable, $this->getContainer()->getParameter('shopware.twig.app_variable.allowed_server_params'));
static::assertTrue($app->getRequest()->isSecure());
static::assertSame('https://localhost', $app->getRequest()->getSchemeAndHttpHost());
}
}
static::assertFalse($app->getRequest()->server->has('bad'));
}
public function testHttpsRequest(): void
{
$orgRequest = new Request();
$orgRequest->server->set('HTTPS', '1');
$orgRequest->server->set('SERVER_NAME', 'localhost');
$orgRequest->server->set('SERVER_PORT', '443');
static::assertTrue($orgRequest->isSecure());
$appVariable = $this->createMock(AppVariable::class);
$appVariable->method('getRequest')->willReturn($orgRequest);
$app = new TwigAppVariable($appVariable, $this->getContainer()->getParameter('shopware.twig.app_variable.allowed_server_params'));
static::assertTrue($app->getRequest()->isSecure());
static::assertSame('https://localhost', $app->getRequest()->getSchemeAndHttpHost());
}
}
private function getBaseUrlReal(): string
{
return $this->baseUrl ??= $this->prepareBaseUrl();
}
/** * Gets the request's scheme. */
public function getScheme(): string
{
return $this->isSecure() ? 'https' : 'http';
}
/** * Returns the port on which the request is made. * * This method can read the client port from the "X-Forwarded-Port" header * when trusted proxies were set via "setTrustedProxies()". * * The "X-Forwarded-Port" header must contain the client port. * * @return int|string|null Can be a string if fetched from the server bag */
/**
* {@inheritdoc}
*/
public function getOptions(Request $request) {
$options = $this->options;
// Generate / validate the cookie domain. $options['cookie_domain'] = $this->getCookieDomain($request) ?: '';
// If the site is accessed via SSL, ensure that the session cookie is // issued with the secure flag. $options['cookie_secure'] = $request->isSecure();
// Set the session cookie name. $options['name'] = $this->getName($request);
return $options;
}
/** * Returns the session cookie name. * * @param \Symfony\Component\HttpFoundation\Request $request * The request. * * @return string * The name of the session cookie. */
public function getOptions(Request $request) {
$options = $this->options;
// Generate / validate the cookie domain. $options['cookie_domain'] = $this->getCookieDomain($request) ?: '';
// If the site is accessed via SSL, ensure that the session cookie is // issued with the secure flag. $options['cookie_secure'] = $request->isSecure();
// Set the session cookie name. $options['name'] = $this->getName($request);
return $options;
}
/** * Returns the session cookie name. * * @param \Symfony\Component\HttpFoundation\Request $request * The request. * * @return string * The name of the session cookie. */
private function setContextCookie(Request $request, ShopContextInterface $context, Response $response): void
{
$hash = json_encode($context->getTaxRules()) . json_encode($context->getCurrentCustomerGroup());
$hash = $this->eventManager->filter('Shopware_Plugins_HttpCache_ContextCookieValue', $hash, [
'shopContext' => $context,
'session' => $this->session,
'request' => $request,
'response' => $response,
]);
$response->setCookie('x-cache-context-hash', sha1($hash), 0, $request->getBasePath() . '/', null, $request->isSecure());
}
}
{
$hash = json_encode($context->getTaxRules()) . json_encode($context->getCurrentCustomerGroup());
$hash = $this->eventManager->filter('Shopware_Plugins_HttpCache_ContextCookieValue', $hash, [
'shopContext' => $context,
'session' => $this->session,
'request' => $request,
'response' => $response,
]);
$response->setCookie('x-cache-context-hash', sha1($hash), 0, $request->getBasePath() . '/', null, $request->isSecure());
}
}