Buggy redirects when using https/SSL (version 1.28 - 2.01)

6 posts by 3 authors in: Forums > CMS Builder
Last Post: January 11, 2010   (RSS)

Re: [webdude] Buggy redirects when using https/SSL (version 1.28)

By ross - April 24, 2009

Hi there.

Thanks for the post!

I'll make a note of this and make sure we take a look at getting the fix into the next version.

Let me know if anything else comes up :).
-----------------------------------------------------------
Cheers,
Ross Fairbairn - Consulting
consulting@interactivetools.com

Hire me! Save time by getting our experts to help with your project.
Template changes, advanced features, full integration, whatever you
need. Whether you need one hour or fifty, get it done fast with
Priority Consulting: http://www.interactivetools.com/consulting/

Re: [webdude] Buggy redirects when using https/SSL (version 1.28)

By Dave - April 29, 2009

Thanks for the report! We've fixed this for 1.29 (the next release in development).
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Buggy redirects still here when using HTTPS :(

By webdude - January 10, 2010

Hi Dave it looks like the bug has crept back :(

We hadn't upgraded since 1.28 (where we had patched it ourselves)... but after upgrading to v2.01 the redirects are still not working.

We are running the CMS using SSL on a non-standard port.

We noticed 3 places where the CMS checks if SSL is enabled by checking $_SERVER['https'], instead of checking $_SERVER['HTTPS'] (lowercase vs uppercase). It must be changed to uppercase for it to mean anything (at least on my standard 5.3.0 PHP install) which the PHP documentation page confirms: http://ca.php.net/manual/en/reserved.variables.server.php

in the file lib/common.php on line 391:version 2.01:

$proto = (@$_SERVER["https"] == 'on' || @$_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://";

bugfix:

$proto = (@$_SERVER["HTTPS"] == 'on' || @$_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://";
in the file lib/common.php on line 623:version 2.01:

$isHTTPS = @$_SERVER["https"] == 'on' || @$_SERVER['SERVER_PORT'] == 443;

bugfix:

$isHTTPS = @$_SERVER["HTTPS"] == 'on' || @$_SERVER['SERVER_PORT'] == 443;
in the file lib/viewer_functions.php on line 1061:version 2.01:

$isHTTPS = @$_SERVER["https"] == 'on' || @$_SERVER['SERVER_PORT'] == 443;

bugfix:

$isHTTPS = @$_SERVER["HTTPS"] == 'on' || @$_SERVER['SERVER_PORT'] == 443;


The other bug is related (in the thisPageUrl function). It has to do with the fact we are using a non-standard port (eg. 84).

In the file lib/common.php, the code on line 392 extracts the current domain name from $_SERVER['HTTP_HOST'] if possible... the problem is that $_SERVER['HTTP_HOST'] sometimes (depending on the PHP install?) includes the port number if it is non-default...

So the next line 393 adds the port a 2nd time resulting in invalid urls like https://www.example.com:84:84/admin.php instead of https://www.example.com:84/admin.php

My suggested fix would be to first check that the port name was not already included in $domain and only add the port if needed. In the file lib/common.php on line 393:version 2.01:

$port = (@$_SERVER['SERVER_PORT'] && @$_SERVER['SERVER_PORT'] != 80) ? ":{$_SERVER['SERVER_PORT']}" : '';

bugfix:

if(preg_match('|:[0-9]+$|', $domain)) {
$port = '';
} else {
$port = (@$_SERVER['SERVER_PORT'] && @$_SERVER['SERVER_PORT'] != 80) ? ":{$_SERVER['SERVER_PORT']}" : '';
}


I'm sorry if this post is long winded, I just genuinely want to get this fixed. I have patched my installation and it is working great.

Thanks!

Re: [webdude] Buggy redirects still here when using HTTPS :(

By Dave - January 11, 2010

Hi webdude,

Awesome bug report, thanks! :) I've applied all those patches.

For the last one, can you try just removing the $port code from thisPageUrl()?

According to RFC 2616 (Section 14.23) it sounds like it's valid for HTTP_HOST (Host header) to include the port number, and there could be a scenario where SERVER_PORT isn't valid (as the originating server is behind a proxy or load balancer and runs on a different port).

Let me know if that works for you.

Thanks again! :)
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Buggy redirects still here when using HTTPS :(

By webdude - January 11, 2010

Hi Dave,

Great! Thanks for listening!