** Patch added: "0001-Cron-doesn-t-run-from-command-line-after-fixing-685.patch" https://bugs.launchpad.net/mahara/+bug/685942/+attachment/2186652/+files/0001-Cron-doesn-t-run-from-command-line-after-fixing-685.patch
-- You received this bug notification because you are a member of Mahara Reviewers, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/685942 Title: Possible https to http downgrade Status in Mahara ePortfolio: Fix Released Status in Mahara 1.2 series: Fix Released Status in Mahara 1.3 series: Incomplete Bug description: Interesting that with both, bug #646713 and bug #684190, we overlooked the most obvious and relatively sensitive issue. Even though $cfg->wwwroot might be set 'https://somemaharasite', depending on apache config, user may still be able to use insecure page for logging in by entering 'http://somemaharasite' in the web browser address field, then, upon logging-in, user credentials will be passed through insecure connection first, before sever respond with redirection to https secured page. This is valid for other pages after logging in - at any time used may switch back to insecure connection by typing 'http://somemaharasite/somedir/somepage.php'. This can be fixed by ensuring that $_SERVER['HTTPS'] is set when $cfg->wwwroot = 'https://...', otherwise redirecting user to the same page using https. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/685942/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-core Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-core More help : https://help.launchpad.net/ListHelp
