Buggy redirects when using https/SSL (version 1.28 - 2.01)

6 posts by 3 authors in: Forums > CMS Builder
Last Post: January 11, 2010   (RSS)

By webdude - April 24, 2009 - edited: January 10, 2010

Hello!

We found a couple buggy redirects after switching our installation to https. Some of the built-in redirects are hard-coded to urls with the regular http prefix which results in redirecting to the wrong url.

On example of such a function is logout. Clicking logout should redirect the user to https://myserver.com/admin.php but instead it is going to http://myserver.com/admin.php

After searching through I found at least 4 files where the http: was hardcoded into the redirect (meaning it wasn't checking to see if the install is running on a SSL connection). Instead of mucking around in all those places I found an easy way to fix it by adding the following line in the redirectBrowserToURL function:$url = preg_replace('|^https?://|i', @$_SERVER['HTTPS'] == 'on' ? 'https://' : 'http://', $url);It would be great if something like this can be included in the next bugfix release.

Thanks!

PS it would not be a good idea to use my fix if the redirectBrowserToURL function is being used by the code to redirect to sites other than the HTTP_HOST on which the install is running, because then the $_SERVER['HTTPS'] would be completely irrelevant.

Re: [webdude] Buggy redirects when using https/SSL (version 1.28)

By ross - April 24, 2009

Hi there.

Thanks for the post!

I'll make a note of this and make sure we take a look at getting the fix into the next version.

Let me know if anything else comes up :).
-----------------------------------------------------------
Cheers,
Ross Fairbairn - Consulting
consulting@interactivetools.com

Hire me! Save time by getting our experts to help with your project.
Template changes, advanced features, full integration, whatever you
need. Whether you need one hour or fifty, get it done fast with
Priority Consulting: http://www.interactivetools.com/consulting/

Re: [Dave] Buggy redirects still here when using HTTPS :(

By webdude - January 10, 2010

Hi Dave it looks like the bug has crept back :(

We hadn't upgraded since 1.28 (where we had patched it ourselves)... but after upgrading to v2.01 the redirects are still not working.

We are running the CMS using SSL on a non-standard port.

We noticed 3 places where the CMS checks if SSL is enabled by checking $_SERVER['https'], instead of checking $_SERVER['HTTPS'] (lowercase vs uppercase). It must be changed to uppercase for it to mean anything (at least on my standard 5.3.0 PHP install) which the PHP documentation page confirms: http://ca.php.net/manual/en/reserved.variables.server.php

in the file lib/common.php on line 391:version 2.01:

$proto = (@$_SERVER["https"] == 'on' || @$_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://";

bugfix:

$proto = (@$_SERVER["HTTPS"] == 'on' || @$_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://";
in the file lib/common.php on line 623:version 2.01:

$isHTTPS = @$_SERVER["https"] == 'on' || @$_SERVER['SERVER_PORT'] == 443;

bugfix:

$isHTTPS = @$_SERVER["HTTPS"] == 'on' || @$_SERVER['SERVER_PORT'] == 443;
in the file lib/viewer_functions.php on line 1061:version 2.01:

$isHTTPS = @$_SERVER["https"] == 'on' || @$_SERVER['SERVER_PORT'] == 443;

bugfix:

$isHTTPS = @$_SERVER["HTTPS"] == 'on' || @$_SERVER['SERVER_PORT'] == 443;


The other bug is related (in the thisPageUrl function). It has to do with the fact we are using a non-standard port (eg. 84).

In the file lib/common.php, the code on line 392 extracts the current domain name from $_SERVER['HTTP_HOST'] if possible... the problem is that $_SERVER['HTTP_HOST'] sometimes (depending on the PHP install?) includes the port number if it is non-default...

So the next line 393 adds the port a 2nd time resulting in invalid urls like https://www.example.com:84:84/admin.php instead of https://www.example.com:84/admin.php

My suggested fix would be to first check that the port name was not already included in $domain and only add the port if needed. In the file lib/common.php on line 393:version 2.01:

$port = (@$_SERVER['SERVER_PORT'] && @$_SERVER['SERVER_PORT'] != 80) ? ":{$_SERVER['SERVER_PORT']}" : '';

bugfix:

if(preg_match('|:[0-9]+$|', $domain)) {
$port = '';
} else {
$port = (@$_SERVER['SERVER_PORT'] && @$_SERVER['SERVER_PORT'] != 80) ? ":{$_SERVER['SERVER_PORT']}" : '';
}


I'm sorry if this post is long winded, I just genuinely want to get this fixed. I have patched my installation and it is working great.

Thanks!

Re: [webdude] Buggy redirects still here when using HTTPS :(

By Dave - January 11, 2010

Hi webdude,

Awesome bug report, thanks! :) I've applied all those patches.

For the last one, can you try just removing the $port code from thisPageUrl()?

According to RFC 2616 (Section 14.23) it sounds like it's valid for HTTP_HOST (Host header) to include the port number, and there could be a scenario where SERVER_PORT isn't valid (as the originating server is behind a proxy or load balancer and runs on a different port).

Let me know if that works for you.

Thanks again! :)
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Buggy redirects still here when using HTTPS :(

By webdude - January 11, 2010

Hi Dave,

Great! Thanks for listening!