TPS
/
ORIENT
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added config backendForceSecure used to force HTTPS 

Refs https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
This commit is contained in:
Samuel Georges 2016-12-17 10:16:02 +11:00
parent c644f8b66d
commit 6af6ebe733
3 changed files with 46 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
config/cms.php
View File

@ -38,6 +38,19 @@ return [
'backendUri' => 'backend', 'backendUri' => 'backend',
/*
|--------------------------------------------------------------------------
| Back-end force HTTPS security
|--------------------------------------------------------------------------
|
| Use this setting to force a secure protocol when accessing any back-end
| pages, including the authentication pages. If set to null, this setting
| is enabled when debug mode (app.debug) is disabled.
|
*/
'backendForceSecure' => null,
/* /*
|-------------------------------------------------------------------------- |--------------------------------------------------------------------------
| Back-end timezone | Back-end timezone
@ -284,8 +297,8 @@ return [
|-------------------------------------------------------------------------- |--------------------------------------------------------------------------
| |
| If safe mode is enabled, the PHP code section is disabled in the CMS | If safe mode is enabled, the PHP code section is disabled in the CMS
| for security reasons. If set to null, safe mode is on when debug mode | for security reasons. If set to null, safe mode is enabled when
| (app.debug) is disabled. | debug mode (app.debug) is disabled.
| |
*/ */

29
modules/backend/classes/Controller.php
View File

@ -9,6 +9,7 @@ use Config;
use Request; use Request;
use Backend; use Backend;
use Session; use Session;
use Redirect;
use Response; use Response;
use Exception; use Exception;
use BackendAuth; use BackendAuth;
@ -174,6 +175,13 @@ class Controller extends Extendable
return Response::make(Lang::get('backend::lang.page.invalid_token.label'), 403); return Response::make(Lang::get('backend::lang.page.invalid_token.label'), 403);
} }
/*
* Check forced HTTPS protocol.
*/
if (!$this->verifyForceSecure()) {
return Redirect::secure(Request::path());
}
/* /*
* Extensibility * Extensibility
*/ */
@ -667,7 +675,7 @@ class Controller extends Extendable
} }
// //
// CSRF Protection // Security
// //
/** /**
@ -693,4 +701,23 @@ class Controller extends Extendable
$token $token
); );
} }
/**
* Checks if the back-end should force a secure protocol (HTTPS) enabled by config.
* @return bool
*/
protected function verifyForceSecure()
{
if (Request::secure() || Request::ajax()) {
return true;
}
// @todo if year >= 2018 change default from false to null
$forceSecure = Config::get('cms.backendForceSecure', false);
if ($forceSecure === null) {
$forceSecure = !Config::get('app.debug', false);
}
return !$forceSecure;
}
} }

5
modules/system/classes/ErrorHandler.php
View File

@ -53,13 +53,14 @@ class ErrorHandler extends ErrorHandlerBase
*/ */
public function handleCustomError() public function handleCustomError()
{ {
if (Config::get('app.debug', false)) if (Config::get('app.debug', false)) {
return null; return null;
}
$theme = Theme::getActiveTheme(); $theme = Theme::getActiveTheme();
$router = new Router($theme);
// Use the default view if no "/error" URL is found. // Use the default view if no "/error" URL is found.
$router = new Router($theme);
if (!$router->findByUrl('/error')) { if (!$router->findByUrl('/error')) {
return View::make('cms::error'); return View::make('cms::error');
} }