From d677315331796d52bd1bcf5908964a53958469d6 Mon Sep 17 00:00:00 2001 From: Thomas Lange Date: Wed, 4 Aug 2021 15:53:38 +0200 Subject: Use "strpos" to validate "If-None-Match" header Remove those "trim" calls and use "strpos" to check if the ETag value generated by the system is contained somewhere in the "If-None-Match" request header sent by the client (if present). With this commit, the ETag header validation now also works with nginx. The nginx web server prefixes the "ETag" header generated by the system with the string "W/" which caused the previous validation code to fail. Instead of using multiple "trim" calls or "preg_replace", we now use a single, simple and fast "strpos" call to check if the system generated Etag hash value is contained in the "If-None-Match" request header. --- core/application.php | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) (limited to 'core/application.php') diff --git a/core/application.php b/core/application.php index a907a27..8d0b8a3 100644 --- a/core/application.php +++ b/core/application.php @@ -181,26 +181,17 @@ if(Application::get('CORE.SEND_304') AND !defined('ADMINISTRATION')) { #=========================================================================== # Define HTTP ETag header identifier #=========================================================================== - $HTTP_ETAG_IDENTIFIER = md5(implode($Statement->fetch())); + $etag = md5(implode($Statement->fetch())); #=========================================================================== # Send ETag header within the HTTP response #=========================================================================== - HTTP::responseHeader(HTTP::HEADER_ETAG, "\"{$HTTP_ETAG_IDENTIFIER}\""); + HTTP::responseHeader(HTTP::HEADER_ETAG, "\"{$etag}\""); #=========================================================================== - # Validate ETag header from the HTTP request + # Return "304 Not Modified" if the clients ETag value matches #=========================================================================== - if(isset($_SERVER['HTTP_IF_NONE_MATCH'])) { - $HTTP_IF_NONE_MATCH = $_SERVER['HTTP_IF_NONE_MATCH']; - $HTTP_IF_NONE_MATCH = trim($HTTP_IF_NONE_MATCH, '"'); - - # If the server adds the extensions to the response header - $HTTP_IF_NONE_MATCH = rtrim($HTTP_IF_NONE_MATCH, '-br'); - $HTTP_IF_NONE_MATCH = rtrim($HTTP_IF_NONE_MATCH, '-gzip'); - - if($HTTP_IF_NONE_MATCH === $HTTP_ETAG_IDENTIFIER) { - Application::exit(NULL, 304); - } + if(strpos($_SERVER['HTTP_IF_NONE_MATCH'] ?? '', $etag) !== FALSE) { + Application::exit(NULL, 304); } } -- cgit v1.2.3