From d677315331796d52bd1bcf5908964a53958469d6 Mon Sep 17 00:00:00 2001
From: Thomas Lange <code@nerdmind.de>
Date: Wed, 4 Aug 2021 15:53:38 +0200
Subject: Use "strpos" to validate "If-None-Match" header

Remove those "trim" calls and use "strpos" to check if the ETag value
generated by the system is contained somewhere in the "If-None-Match"
request header sent by the client (if present).

With this commit, the ETag header validation now also works with nginx.
The nginx web server prefixes the "ETag" header generated by the system
with the string "W/" which caused the previous validation code to fail.

Instead of using multiple "trim" calls or "preg_replace", we now use a
single, simple and fast "strpos" call to check if the system generated
Etag hash value is contained in the "If-None-Match" request header.
---
 core/application.php | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/core/application.php b/core/application.php
index a907a27..8d0b8a3 100644
--- a/core/application.php
+++ b/core/application.php
@@ -181,26 +181,17 @@ if(Application::get('CORE.SEND_304') AND !defined('ADMINISTRATION')) {
 	#===========================================================================
 	# Define HTTP ETag header identifier
 	#===========================================================================
-	$HTTP_ETAG_IDENTIFIER = md5(implode($Statement->fetch()));
+	$etag = md5(implode($Statement->fetch()));
 
 	#===========================================================================
 	# Send ETag header within the HTTP response
 	#===========================================================================
-	HTTP::responseHeader(HTTP::HEADER_ETAG, "\"{$HTTP_ETAG_IDENTIFIER}\"");
+	HTTP::responseHeader(HTTP::HEADER_ETAG, "\"{$etag}\"");
 
 	#===========================================================================
-	# Validate ETag header from the HTTP request
+	# Return "304 Not Modified" if the clients ETag value matches
 	#===========================================================================
-	if(isset($_SERVER['HTTP_IF_NONE_MATCH'])) {
-		$HTTP_IF_NONE_MATCH = $_SERVER['HTTP_IF_NONE_MATCH'];
-		$HTTP_IF_NONE_MATCH = trim($HTTP_IF_NONE_MATCH, '"');
-
-		# If the server adds the extensions to the response header
-		$HTTP_IF_NONE_MATCH = rtrim($HTTP_IF_NONE_MATCH, '-br');
-		$HTTP_IF_NONE_MATCH = rtrim($HTTP_IF_NONE_MATCH, '-gzip');
-
-		if($HTTP_IF_NONE_MATCH === $HTTP_ETAG_IDENTIFIER) {
-			Application::exit(NULL, 304);
-		}
+	if(strpos($_SERVER['HTTP_IF_NONE_MATCH'] ?? '', $etag) !== FALSE) {
+		Application::exit(NULL, 304);
 	}
 }
-- 
cgit v1.2.3