From 118564b2fbfcc56f6216847fa6bb6d43bdd0ffa2 Mon Sep 17 00:00:00 2001
From: Nikita Krasnoyartsev <nkrasnoyartsev@zoon.ru>
Date: Thu, 13 Apr 2023 12:51:42 +0300
Subject: [PATCH] fix multiple x_forwarded_proto

---
 src/HttpClient/Util.php               | 12 +++++++++++-
 src/Thirdparty/OpenID/LightOpenID.php |  3 ++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/HttpClient/Util.php b/src/HttpClient/Util.php
index 1a92f7e2c..cd8a9a718 100644
--- a/src/HttpClient/Util.php
+++ b/src/HttpClient/Util.php
@@ -89,7 +89,7 @@ public static function getCurrentUrl($requestUri = false)
         $protocol = 'http://';
 
         if (($collection->get('HTTPS') && $collection->get('HTTPS') !== 'off') ||
-            $collection->get('HTTP_X_FORWARDED_PROTO') === 'https') {
+            self::isXForwardedProtoHttps($collection->get('HTTP_X_FORWARDED_PROTO'))) {
             $protocol = 'https://';
         }
 
@@ -97,4 +97,14 @@ public static function getCurrentUrl($requestUri = false)
             $collection->get('HTTP_HOST') .
             $collection->get($requestUri ? 'REQUEST_URI' : 'PHP_SELF');
     }
+
+    public static function isXForwardedProtoHttps($xForwardedProto)
+    {
+        $protos = explode(',', (string)$xForwardedProto);
+        if (count($protos) > 0) {
+            return trim($protos[0]) === 'https';
+        }
+
+        return false;
+    }
 }
diff --git a/src/Thirdparty/OpenID/LightOpenID.php b/src/Thirdparty/OpenID/LightOpenID.php
index 14deab36a..f68dabde9 100644
--- a/src/Thirdparty/OpenID/LightOpenID.php
+++ b/src/Thirdparty/OpenID/LightOpenID.php
@@ -11,6 +11,7 @@
 
 use Hybridauth\Exception\Exception;
 use Hybridauth\Exception\ExceptionInterface;
+use Hybridauth\HttpClient\Util;
 
 /**
  * Class ErrorException
@@ -255,7 +256,7 @@ protected function get_realm_protocol()
         if (!empty($_SERVER['HTTPS'])) {
             $use_secure_protocol = ($_SERVER['HTTPS'] !== 'off');
         } elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
-            $use_secure_protocol = ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https');
+            $use_secure_protocol = (Util::isXForwardedProtoHttps($_SERVER['HTTP_X_FORWARDED_PROTO']));
         } elseif (isset($_SERVER['HTTP__WSSC'])) {
             $use_secure_protocol = ($_SERVER['HTTP__WSSC'] == 'https');
         } else {