Fix \Magento\Checkout\Controller\Index\Index::isSecureRequest method to take care of current request being secure and also from referer, as stated in phpdoc block

adrian-martinez-interactiv4 · adrian-martinez-interactiv4 · commit 4d23b8b3c64e · 2018-05-08T19:09:38.000+02:00
diff --git a/app/code/Magento/Checkout/Controller/Index/Index.php b/app/code/Magento/Checkout/Controller/Index/Index.php
@@ -51,18 +51,16 @@ public function execute()
      */
     private function isSecureRequest(): bool
     {
-        $secure = false;
         $request = $this->getRequest();
 
-        if ($request->isSecure()) {
-            $secure = true;
-        }
+        $referrer = $request->getHeader('referer');
+        $secure = false;
 
-        if ($request->getHeader('referer')) {
-            $scheme = parse_url($request->getHeader('referer'), PHP_URL_SCHEME);
+        if ($referrer) {
+            $scheme = parse_url($referrer, PHP_URL_SCHEME);
             $secure = $scheme === 'https';
         }
 
-        return $secure;
+        return $secure && $request->isSecure();
     }
 }
diff --git a/app/code/Magento/Checkout/Test/Unit/Controller/Index/IndexTest.php b/app/code/Magento/Checkout/Test/Unit/Controller/Index/IndexTest.php
@@ -236,26 +236,27 @@ public function testRegenerateSessionIdOnExecute(bool $secure, string $referer,
     public function sessionRegenerationDataProvider(): array
     {
         return [
+            [
+                'secure' => false,
+                'referer' => 'https://test.domain.com/',
+                'expectedCall' => self::once()
+            ],
             [
                 'secure' => true,
                 'referer' => false,
-                'expectedCall' => self::never()
+                'expectedCall' => self::once()
             ],
             [
                 'secure' => true,
-                'referer' => 'https://test.domain.com/',
-                'expectedCall' => self::never()
+                'referer' => 'http://test.domain.com/',
+                'expectedCall' => self::once()
             ],
+            // This is the only case in which session regeneration can be skipped
             [
-                'secure' => false,
+                'secure' => true,
                 'referer' => 'https://test.domain.com/',
                 'expectedCall' => self::never()
             ],
-            [
-                'secure' => true,
-                'referer' => 'http://test.domain.com/',
-                'expectedCall' => self::once()
-            ]
         ];
     }
 

Original file line number	Diff line number	Diff line change
`@@ -51,18 +51,16 @@ public function execute()`
`51`	`51`	`*/`
`52`	`52`	`private function isSecureRequest(): bool`
`53`	`53`	`{`
`54`		`- $secure = false;`
`55`	`54`	`$request = $this->getRequest();`
`56`	`55`
`57`		`- if ($request->isSecure()) {`
`58`		`- $secure = true;`
`59`		`- }`
	`56`	`+ $referrer = $request->getHeader('referer');`
	`57`	`+ $secure = false;`
`60`	`58`
`61`		`- if ($request->getHeader('referer')) {`
`62`		`- $scheme = parse_url($request->getHeader('referer'), PHP_URL_SCHEME);`
	`59`	`+ if ($referrer) {`
	`60`	`+ $scheme = parse_url($referrer, PHP_URL_SCHEME);`
`63`	`61`	`$secure = $scheme === 'https';`
`64`	`62`	`}`
`65`	`63`
`66`		`- return $secure;`
	`64`	`+ return $secure && $request->isSecure();`
`67`	`65`	`}`
`68`	`66`	`}`