Hi Konstantin, > In situations where SSL is terminated at the load-balancer, we cannot > rely on guessing the scheme based on whether patchwork itself was > accessed via http or https, since the last-leg is always going to be > done over http. > > Unfortunately, wrongly using http:// URLs results in unusable > .pwclientrc files, since xmlrpc does not handle http->https redirects > and instead displays a traceback. > > This change introduces a FORCE_HTTPS_LINKS option, which forces > pwclientrc links to always return "https" regardless of how the project > itself is accessed.
Great, thanks for the contribution. I've merged your patch. > It appears that the http/https check is currently only used for > generating pwclientrc -- a lot of other places seem to hardcode > "http://"; and rely on the server to transparently upgrade the > connection. This is not a secure approach (it allows for MITM and > SSL-Strip attacks) and therefore all places currently hardcoding > http://{{site.domain}} and similar should be switched to using the > "sheme" variable, the same as done for generating pwclientrc files. Yep, I'd agree. I'll add this to my TODO (unless you beat me to it!) Cheers, Jeremy _______________________________________________ Patchwork mailing list [email protected] https://lists.ozlabs.org/listinfo/patchwork
