? bootstrap.inc.patch ? bootstrap.inc_313145_1.patch ? theme.inc.patch ? sites/default/files ? sites/default/private ? sites/default/settings.php Index: includes/bootstrap.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v retrieving revision 1.303 diff -u -p -r1.303 bootstrap.inc --- includes/bootstrap.inc 5 Sep 2009 13:05:30 -0000 1.303 +++ includes/bootstrap.inc 9 Sep 2009 21:12:22 -0000 @@ -529,10 +529,29 @@ function drupal_settings_initialize() { } else { // Create base URL - $http_protocol = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http'; - $base_root = $http_protocol . '://' . $_SERVER['HTTP_HOST']; - - $base_url = $base_root; + if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') { + // We're running HTTPS natively in the web server. + $http_protocol = 'https'; + } + elseif (isset($conf['reverse_proxy']) && $conf['reverse_proxy']) { + // Only trust headers if 'reverse_proxy' is configured. + if ((isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https') || (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && $_SERVER['HTTP_FRONT_END_HTTPS'] == 'on')) { + // We appear to be behind a proxy running HTTPS. + $http_protocol = 'https'; + } + } + elseif (!file_exists(DRUPAL_ROOT . '/' . conf_path() . '/settings.php')) { + // We have no settings.php, so we can't refer to 'reverse_proxy'. + // This must be a new installation. + if ((isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https') || (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && $_SERVER['HTTP_FRONT_END_HTTPS'] == 'on')) { + // We appear to be behind a proxy running HTTPS. + $http_protocol = 'https'; + } + } + else { + $http_protocol = 'http'; + } + $base_url = $http_protocol . '://' . $_SERVER['HTTP_HOST']; // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not // be modified by a visitor.