check if client-presented URL scheme is different from one configured in SELF_URL_PATH

2 files changed, 15 insertions, 3 deletions

diff --git a/classes/errors.php b/classes/errors.php
index be175418e..3599c2639 100644
--- a/classes/errors.php
+++ b/classes/errors.php
@@ -5,8 +5,9 @@ class Errors {
 	const E_UNKNOWN_METHOD = "E_UNKNOWN_METHOD";
 	const E_UNKNOWN_PLUGIN = "E_UNKNOWN_PLUGIN";
 	const E_SCHEMA_MISMATCH = "E_SCHEMA_MISMATCH";
+	const E_URL_SCHEME_MISMATCH = "E_URL_SCHEME_MISMATCH";
 
-	static function to_json(string $code) {
-		return json_encode(["error" => ["code" => $code]]);
+	static function to_json(string $code, array $params = []) {
+		return json_encode(["error" => ["code" => $code, "params" => $params]]);
 	}
 }
diff --git a/classes/rpc.php b/classes/rpc.php
index aaaf4f8d5..630ea50cb 100755
--- a/classes/rpc.php
+++ b/classes/rpc.php
@@ -168,10 +168,21 @@ class RPC extends Handler_Protected {
 		$_SESSION["hasSandbox"] = clean($_REQUEST["hasSandbox"]) === "true";
 		$_SESSION["clientTzOffset"] = clean($_REQUEST["clientTzOffset"]);
 
+		$client_location = $_REQUEST["clientLocation"];
+
 		$error = Errors::E_SUCCESS;
+		$error_params = [];
+
+		$client_scheme = parse_url($client_location, PHP_URL_SCHEME);
+		$server_scheme = parse_url(get_self_url_prefix(), PHP_URL_SCHEME);
 
 		if (get_schema_version() != SCHEMA_VERSION) {
 			$error = Errors::E_SCHEMA_MISMATCH;
+		} else if ($client_scheme != $server_scheme) {
+			$error = Errors::E_URL_SCHEME_MISMATCH;
+			$error_params["client_scheme"] = $client_scheme;
+			$error_params["server_scheme"] = $server_scheme;
+			$error_params["self_url_path"] = get_self_url_prefix();
 		}
 
 		if ($error == Errors::E_SUCCESS) {
@@ -183,7 +194,7 @@ class RPC extends Handler_Protected {
 
 			print json_encode($reply);
 		} else {
-			print Errors::to_json($error);
+			print Errors::to_json($error, $error_params);
 		}
 	}