Bug#520935: bugzilla3: Cyclic link when enforce SSL is set to anything besides "never"

Soren Stoutner Mon, 23 Mar 2009 11:32:11 -0700

Package: bugzilla3
Version: 3.2.0.1-1
Severity: important

When enforce SSL is set to anything besides never (authenticated sessions or 
always), attempting to access bugzilla results in the following error 
(text copied from Konqueror, similar error messages in other browsers):


        An error occurred while loading 
http://bugzilla.h3solution.com/editparams.cgi?section=admin:
        Found a cyclic link in 
https://bugzilla.h3solution.com/editparams.cgi?section=admin.

If enforce SSL is set to never, everything works correctly (both http and 
https) with this one exception:

When a user logs in using https://bugzilla.h3solution.com, upon clicking on the 
"Login" button, the following warning is given:

        Warning: This is a secure form but it is attempting to send your data 
back unencrypted.
        A third party may be able to intercept and view this information.
        Are you sure you wish to continue?

The user is then directed to http.  If, after the user is logged in, the URL is 
manually changed from http to https, then the entire site functions 
correctly using SSL.

This appears to be a problem with the login function not working correctly.  It 
redirects everything to http.  If https is enforced, it creates a 
cyclic link.

url_base is set to 'http://bugzilla.h3solution.com/'
ssl_base is set to 'https://bugzilla.h3solution.com/'

If I want to use SSL I can work around this problem my manually setting 
url_base to 'https://bugzilla.h3solution.com' in /etc/bugzilla3/params, 
removing the http bugzilla apache entries, and setting a redirect from http to 
https in apache, but that seems like a clunky workaround.

Apache config files

<VirtualHost *:80>
        ServerName bugzilla.h3solution.com

        DocumentRoot /usr/lib/cgi-bin/bugzilla3/
        Alias /bugzilla3/ /usr/share/bugzilla3/web/
        Alias /cgi-bin/bugzilla3/ /usr/lib/cgi-bin/bugzilla3/

        <Directory "/usr/share/bugzilla3/web">
                AllowOverride none
                Order allow,deny
                Allow from all
        </Directory>

        <Directory "/usr/lib/cgi-bin/bugzilla3">
                AddHandler cgi-script cgi
                DirectoryIndex index.cgi
                Options +Indexes +ExecCGI -MultiViews +SymLinksIfOwnerMatch 
+FollowSymLinks
                AllowOverride None
                Order allow,deny
                Allow from all
        </Directory>

        <Directory "/var/lib/bugzilla3/data">
                Options FollowSymLinks
                AllowOverride None
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>

<VirtualHost *:443>
        ServerName bugzilla.h3solution.com

        DocumentRoot /usr/lib/cgi-bin/bugzilla3/
        Alias /bugzilla3/ /usr/share/bugzilla3/web/
        Alias /cgi-bin/bugzilla3/ /usr/lib/cgi-bin/bugzilla3/

        <Directory "/usr/share/bugzilla3/web">
                AllowOverride none
                Order allow,deny
                Allow from all
        </Directory>

        <Directory "/usr/lib/cgi-bin/bugzilla3">
                AddHandler cgi-script cgi
                DirectoryIndex index.cgi
                Options +Indexes +ExecCGI -MultiViews +SymLinksIfOwnerMatch 
+FollowSymLinks
                AllowOverride None
                Order allow,deny
                Allow from all
        </Directory>

        <Directory "/var/lib/bugzilla3/data">
                Options FollowSymLinks
                AllowOverride None
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages bugzilla3 depends on:
ii  apache2                 2.2.11-2         Apache HTTP Server metapackage
ii  apache2-mpm-prefork [ht 2.2.11-2         Apache HTTP Server - traditional n
ii  dbconfig-common         1.8.40           common framework for packaging dat
ii  debconf                 1.5.26           Debian configuration management sy
ii  libappconfig-perl       1.56-2           Perl module for configuration file
ii  libcgi-pm-perl          3.42-1           Simple Common Gateway Interface Cl
ii  libdbd-mysql-perl       4.008-1          A Perl5 database interface to the 
ii  libemail-mime-modifier- 1.443-1          module to modify Email::MIME objec
ii  libemail-send-perl      2.194-1          Simply Sending Email
ii  libtemplate-perl        2.19-1.1lenny1.1 template processing system written
ii  libtimedate-perl        1.1600-9         Time and date functions for Perl
ii  mysql-client            5.0.51a-24       MySQL database client (metapackage
ii  mysql-client-5.0 [mysql 5.0.51a-24       MySQL database client binaries
ii  patch                   2.5.9-5          Apply a diff file to an original
ii  perl-modules [libcgi-pm 5.10.0-19        Core Perl modules
ii  postfix [mail-transport 2.5.5-1.1        High-performance mail transport ag
ii  ucf                     3.0016           Update Configuration File: preserv

Versions of packages bugzilla3 recommends:
ii  libchart-perl          2.4.1-5           Chart Library for Perl
ii  libxml-parser-perl     2.36-1.1+b1       Perl module for parsing XML files
ii  mysql-server           5.0.51a-24        MySQL database server (metapackage
ii  mysql-server-5.0 [mysq 5.0.51a-24        MySQL database server binaries
ii  perlmagick             7:6.3.7.9.dfsg2-1 Perl interface to the libMagick gr

Versions of packages bugzilla3 suggests:
pn  bugzilla3-doc                 <none>     (no description available)
pn  graphviz                      <none>     (no description available)
ii  libgd-gd2-perl                1:2.39-2   Perl module wrapper for libgd - gd
ii  libgd-graph-perl              1.44-3     Graph Plotting Module for Perl 5
ii  libgd-text-perl               0.86-5     Text utilities for use with GD
ii  libhtml-parser-perl           3.60-1     collection of modules that parse H
pn  libhtml-scrubber-perl         <none>     (no description available)
ii  libmailtools-perl             2.04-1     Manipulate email in perl programs
ii  libmime-tools-perl            5.427-2    Perl5 modules for MIME-compliant m
ii  libnet-ldap-perl              1:0.39-1   client interface to LDAP servers
pn  libsoap-lite-perl             <none>     (no description available)
ii  libwww-perl                   5.825-1    WWW client/server library for Perl
pn  libxml-twig-perl              <none>     (no description available)

-- debconf information:
* bugzilla3/customized_values: false
  bugzilla3/database-type: mysql
  bugzilla3/remove-error: abort
  bugzilla3/dbconfig-remove:
* bugzilla3/dbconfig-install: true
  bugzilla3/internal/reconfiguring: false
  bugzilla3/remote/newhost:
  bugzilla3/internal/skip-preseed: false
  bugzilla3/remote/host:
  bugzilla3/install-error: abort
  bugzilla3/upgrade-backup: true
  bugzilla3/db/dbname: bugzilla3
  bugzilla3/missing-db-package-error: abort
  bugzilla3/passwords-do-not-match:
  bugzilla3/mysql/admin-user: root
  bugzilla3/upgrade-error: abort
  bugzilla3/db/app-user: bugzilla3
  bugzilla3/dbconfig-reinstall: false
  bugzilla3/mysql/method: unix socket
* bugzilla3/bugzilla_admin_real_name: Soren Stoutner
  bugzilla3/remote/port:
* bugzilla3/bugzilla_admin_name: sor...@h3solution.com
  bugzilla3/dbconfig-upgrade: true
  bugzilla3/purge: false



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#520935: bugzilla3: Cyclic link when enforce SSL is set to anything besides "never"

Reply via email to