Buggy redirects when using https/SSL (version 1.28 - 2.01)

6 posts by 3 authors in: Forums > CMS Builder
Last Post: January 11, 2010   (RSS)

By webdude - April 24, 2009 - edited: January 10, 2010

Hello!

We found a couple buggy redirects after switching our installation to https. Some of the built-in redirects are hard-coded to urls with the regular http prefix which results in redirecting to the wrong url.

On example of such a function is logout. Clicking logout should redirect the user to https://myserver.com/admin.php but instead it is going to http://myserver.com/admin.php

After searching through I found at least 4 files where the http: was hardcoded into the redirect (meaning it wasn't checking to see if the install is running on a SSL connection). Instead of mucking around in all those places I found an easy way to fix it by adding the following line in the redirectBrowserToURL function:$url = preg_replace('|^https?://|i', @$_SERVER['HTTPS'] == 'on' ? 'https://' : 'http://', $url);It would be great if something like this can be included in the next bugfix release.

Thanks!

PS it would not be a good idea to use my fix if the redirectBrowserToURL function is being used by the code to redirect to sites other than the HTTP_HOST on which the install is running, because then the $_SERVER['HTTPS'] would be completely irrelevant.

Re: [webdude] Buggy redirects when using https/SSL (version 1.28)

By Dave - April 29, 2009

Thanks for the report! We've fixed this for 1.29 (the next release in development).
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Buggy redirects still here when using HTTPS :(

By webdude - January 10, 2010

Hi Dave it looks like the bug has crept back :(

We hadn't upgraded since 1.28 (where we had patched it ourselves)... but after upgrading to v2.01 the redirects are still not working.

We are running the CMS using SSL on a non-standard port.

We noticed 3 places where the CMS checks if SSL is enabled by checking $_SERVER['https'], instead of checking $_SERVER['HTTPS'] (lowercase vs uppercase). It must be changed to uppercase for it to mean anything (at least on my standard 5.3.0 PHP install) which the PHP documentation page confirms: http://ca.php.net/manual/en/reserved.variables.server.php

in the file lib/common.php on line 391:version 2.01:

$proto = (@$_SERVER["https"] == 'on' || @$_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://";

bugfix:

$proto = (@$_SERVER["HTTPS"] == 'on' || @$_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://";
in the file lib/common.php on line 623:version 2.01:

$isHTTPS = @$_SERVER["https"] == 'on' || @$_SERVER['SERVER_PORT'] == 443;

bugfix:

$isHTTPS = @$_SERVER["HTTPS"] == 'on' || @$_SERVER['SERVER_PORT'] == 443;
in the file lib/viewer_functions.php on line 1061:version 2.01:

$isHTTPS = @$_SERVER["https"] == 'on' || @$_SERVER['SERVER_PORT'] == 443;

bugfix:

$isHTTPS = @$_SERVER["HTTPS"] == 'on' || @$_SERVER['SERVER_PORT'] == 443;


The other bug is related (in the thisPageUrl function). It has to do with the fact we are using a non-standard port (eg. 84).

In the file lib/common.php, the code on line 392 extracts the current domain name from $_SERVER['HTTP_HOST'] if possible... the problem is that $_SERVER['HTTP_HOST'] sometimes (depending on the PHP install?) includes the port number if it is non-default...

So the next line 393 adds the port a 2nd time resulting in invalid urls like https://www.example.com:84:84/admin.php instead of https://www.example.com:84/admin.php

My suggested fix would be to first check that the port name was not already included in $domain and only add the port if needed. In the file lib/common.php on line 393:version 2.01:

$port = (@$_SERVER['SERVER_PORT'] && @$_SERVER['SERVER_PORT'] != 80) ? ":{$_SERVER['SERVER_PORT']}" : '';

bugfix:

if(preg_match('|:[0-9]+$|', $domain)) {
$port = '';
} else {
$port = (@$_SERVER['SERVER_PORT'] && @$_SERVER['SERVER_PORT'] != 80) ? ":{$_SERVER['SERVER_PORT']}" : '';
}


I'm sorry if this post is long winded, I just genuinely want to get this fixed. I have patched my installation and it is working great.

Thanks!

Re: [webdude] Buggy redirects still here when using HTTPS :(

By Dave - January 11, 2010

Hi webdude,

Awesome bug report, thanks! :) I've applied all those patches.

For the last one, can you try just removing the $port code from thisPageUrl()?

According to RFC 2616 (Section 14.23) it sounds like it's valid for HTTP_HOST (Host header) to include the port number, and there could be a scenario where SERVER_PORT isn't valid (as the originating server is behind a proxy or load balancer and runs on a different port).

Let me know if that works for you.

Thanks again! :)
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Buggy redirects still here when using HTTPS :(

By webdude - January 11, 2010

Hi Dave,

Great! Thanks for listening!