Direct links from HTTPS to HTTP

adminer/include/bootstrap.inc.php

@@ -24,11 +24,12 @@ include "../adminer/include/functions.inc.php";
 if (!isset($_SERVER["REQUEST_URI"])) {
 	$_SERVER["REQUEST_URI"] = $_SERVER["ORIG_PATH_INFO"] . ($_SERVER["QUERY_STRING"] != "" ? "?$_SERVER[QUERY_STRING]" : ""); // IIS 5 compatibility
 }
+$HTTPS = $_SERVER["HTTPS"] && strcasecmp($_SERVER["HTTPS"], "off");
 
 @ini_set("session.use_trans_sid", false); // protect links in export, @ - may be disabled
 if (!ini_bool("session.auto_start")) {
 	session_name("adminer_sid"); // use specific session name to get own namespace
-	$params = array(0, preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"]), "", $_SERVER["HTTPS"] && strcasecmp($_SERVER["HTTPS"], "off"));
+	$params = array(0, preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"]), "", $HTTPS);
 	if (version_compare(PHP_VERSION, '5.2.0') >= 0) {
 		$params[] = true; // HttpOnly
 	}

adminer/include/design.inc.php

@@ -7,11 +7,11 @@
 * @return null
 */
 function page_header($title, $error = "", $breadcrumb = array(), $title2 = "") {
-	global $LANG, $VERSION, $adminer, $connection, $drivers;
+	global $LANG, $VERSION, $HTTPS, $adminer, $connection, $drivers;
 	header("Content-Type: text/html; charset=utf-8");
 	header("X-Frame-Options: deny"); // ClickJacking protection in IE8, Safari 4, Chrome 2, Firefox NoScript plugin
 	$title_all = $title . ($title2 != "" ? ": " . h($title2) : "");
-	$protocol = ($_SERVER["HTTPS"] && strcasecmp($_SERVER["HTTPS"], "off") ? "https" : "http");
+	$protocol = ($HTTPS ? "https" : "http");
 	?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
 <html lang="<?php echo $LANG; ?>">

adminer/include/functions.inc.php

@@ -245,13 +245,14 @@ function where_link($i, $column, $value, $operator = "=") {
 * @return bool
 */
 function cookie($name, $value) {
+	global $HTTPS;
 	$params = array(
 		$name,
 		(ereg("\n", $value) ? "" : $value), // HTTP Response Splitting protection in PHP < 5.1.2
 		time() + 2592000, // 2592000 - 30 days
 		preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"]),
 		"",
-		$_SERVER["HTTPS"] && strcasecmp($_SERVER["HTTPS"], "off")
+		$HTTPS
 	);
 	if (version_compare(PHP_VERSION, '5.2.0') >= 0) {
 		$params[] = true; // HttpOnly
@@ -703,11 +704,11 @@ function is_email($email) {
 
 /** Check whether the string is URL address
 * @param string
-* @return bool
+* @return string "http", "https" or ""
 */
 function is_url($string) {
-	$domain = '[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])'; // one domain component
-	return preg_match("~^https?://($domain?\\.)+$domain(:[0-9]+)?(/.*)?(\\?.*)?(#.*)?\$~i", $string); //! restrict path, query and fragment characters
+	$domain = '[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])'; // one domain component //! IDN
+	return (preg_match("~^(https?)://($domain?\\.)+$domain(:[0-9]+)?(/.*)?(\\?.*)?(#.*)?\$~i", $string, $match) ? strtolower($match[1]) : ""); //! restrict path, query and fragment characters
 }
 
 /** Print header for hidden fieldset (close by </div></fieldset>)

adminer/select.inc.php

@@ -315,11 +315,16 @@ if (!$columns) {
 								}
 							}
 						}
-						if (!$link && is_email($val)) {
-							$link = "mailto:$val";
-						}
-						if (!$link && is_url($row[$key])) {
-							$link = "http://www.adminer.org/redirect/?url=" . urlencode($row[$key]); // intermediate page to hide Referer, may be changed to rel="noreferrer" in HTML5
+						if (!$link) {
+							if (is_email($val)) {
+								$link = "mailto:$val";
+							}
+							if ($protocol = is_url($row[$key])) {
+								$link = ($protocol == "http" && $HTTPS
+									? $row[$key] // HTTP links from HTTPS pages don't receive Referer automatically
+									: "$protocol://www.adminer.org/redirect/?url=" . urlencode($row[$key]) // intermediate page to hide Referer, may be changed to rel="noreferrer" in HTML5
+								);
+							}
 						}
 						$id = h("val[$unique_idf][" . bracket_escape($key) . "]");
 						$value = $_POST["val"][$unique_idf][bracket_escape($key)];