[Mahara-contributors] [Bug 685942] Re: Possible https to http downgrade
Hi Ruslan, yup, it's been fixed for 1.4_STABLE and master, but not for 1.3_STABLE (see http://gitorious.org/mahara/mahara/blobs/1.3_STABLE/htdocs/init.php#line194 ). I thought 1.3_STABLE was still supported, am I right? Saludos. Iñaki. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/685942 Title: Possible https to http downgrade Status in Mahara ePortfolio: Fix Released Status in Mahara 1.2 series: Fix Released Status in Mahara 1.3 series: Incomplete Bug description: Interesting that with both, bug #646713 and bug #684190, we overlooked the most obvious and relatively sensitive issue. Even though $cfg-wwwroot might be set 'https://somemaharasite', depending on apache config, user may still be able to use insecure page for logging in by entering 'http://somemaharasite' in the web browser address field, then, upon logging-in, user credentials will be passed through insecure connection first, before sever respond with redirection to https secured page. This is valid for other pages after logging in - at any time used may switch back to insecure connection by typing 'http://somemaharasite/somedir/somepage.php'. This can be fixed by ensuring that $_SERVER['HTTPS'] is set when $cfg-wwwroot = 'https://...', otherwise redirecting user to the same page using https. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/685942/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 685942] Re: Possible https to http downgrade
Hi Iñaki, 1.3_STABLE is supported for security fixes only. However, given that this cron not running bug is a regression caused by a security update, we should fix it in 1.3.7. Bug #794490 is the bug that tracks this problem (and that's what change I991f51d2cc9272e5f33e5f4b7486d3565924d8c7 should have been pointing to). I have reopened it with a milestone of 1.3.7. Cheers, Francois ** Changed in: mahara/1.3 Status: Incomplete = Fix Released -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/685942 Title: Possible https to http downgrade Status in Mahara ePortfolio: Fix Released Status in Mahara 1.2 series: Fix Released Status in Mahara 1.3 series: Fix Released Bug description: Interesting that with both, bug #646713 and bug #684190, we overlooked the most obvious and relatively sensitive issue. Even though $cfg-wwwroot might be set 'https://somemaharasite', depending on apache config, user may still be able to use insecure page for logging in by entering 'http://somemaharasite' in the web browser address field, then, upon logging-in, user credentials will be passed through insecure connection first, before sever respond with redirection to https secured page. This is valid for other pages after logging in - at any time used may switch back to insecure connection by typing 'http://somemaharasite/somedir/somepage.php'. This can be fixed by ensuring that $_SERVER['HTTPS'] is set when $cfg-wwwroot = 'https://...', otherwise redirecting user to the same page using https. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/685942/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 685942] Re: Possible https to http downgrade
** Changed in: mahara/1.3 Status: Fix Released = Incomplete -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/685942 Title: Possible https to http downgrade Status in Mahara ePortfolio: Fix Released Status in Mahara 1.2 series: Fix Released Status in Mahara 1.3 series: Incomplete Bug description: Interesting that with both, bug #646713 and bug #684190, we overlooked the most obvious and relatively sensitive issue. Even though $cfg-wwwroot might be set 'https://somemaharasite', depending on apache config, user may still be able to use insecure page for logging in by entering 'http://somemaharasite' in the web browser address field, then, upon logging-in, user credentials will be passed through insecure connection first, before sever respond with redirection to https secured page. This is valid for other pages after logging in - at any time used may switch back to insecure connection by typing 'http://somemaharasite/somedir/somepage.php'. This can be fixed by ensuring that $_SERVER['HTTPS'] is set when $cfg-wwwroot = 'https://...', otherwise redirecting user to the same page using https. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/685942/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 685942] Re: Possible https to http downgrade
I didn't notice the fix was incomplete before because I was also bitten by this Ubuntu cron bug: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/790538 Now that cronjobs are run, I've noticed that my Mahara cronjob is run but nothing appears in the logs. I run the cronjob from the command line using the same config you can find in the wiki, and I have just switched to HTTPS for the whole Mahara site. I've traced the issue to the commit for this bug, as it tries to make a redirect to secure URLs if the wwwroot is configured for HTTPS but the request is not done using HTTPS. When you run Mahara cron from the command line, HTTPS is obviously not set, so init.php tries to redirect the execution to the secured URL. But HTTP redirection doesn't work in command line (for obvious reasons), so the execution dies inside redirect(). We need to check if we are running in command line mode before checking HTTPS and trying to redirect the request to the secure URL. The attached patch (for 1.3_STABLE, that's what we are running right now) should do the trick. I think the patch should also be applied to 1.4_STABLE and master, but I don't have the time to test them right now. Saludos. Iñaki. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/685942 Title: Possible https to http downgrade Status in Mahara ePortfolio: Fix Released Status in Mahara 1.2 series: Fix Released Status in Mahara 1.3 series: Incomplete Bug description: Interesting that with both, bug #646713 and bug #684190, we overlooked the most obvious and relatively sensitive issue. Even though $cfg-wwwroot might be set 'https://somemaharasite', depending on apache config, user may still be able to use insecure page for logging in by entering 'http://somemaharasite' in the web browser address field, then, upon logging-in, user credentials will be passed through insecure connection first, before sever respond with redirection to https secured page. This is valid for other pages after logging in - at any time used may switch back to insecure connection by typing 'http://somemaharasite/somedir/somepage.php'. This can be fixed by ensuring that $_SERVER['HTTPS'] is set when $cfg-wwwroot = 'https://...', otherwise redirecting user to the same page using https. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/685942/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 685942] Re: Possible https to http downgrade
** Patch added: 0001-Cron-doesn-t-run-from-command-line-after-fixing-685.patch https://bugs.launchpad.net/mahara/+bug/685942/+attachment/2186652/+files/0001-Cron-doesn-t-run-from-command-line-after-fixing-685.patch -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/685942 Title: Possible https to http downgrade Status in Mahara ePortfolio: Fix Released Status in Mahara 1.2 series: Fix Released Status in Mahara 1.3 series: Incomplete Bug description: Interesting that with both, bug #646713 and bug #684190, we overlooked the most obvious and relatively sensitive issue. Even though $cfg-wwwroot might be set 'https://somemaharasite', depending on apache config, user may still be able to use insecure page for logging in by entering 'http://somemaharasite' in the web browser address field, then, upon logging-in, user credentials will be passed through insecure connection first, before sever respond with redirection to https secured page. This is valid for other pages after logging in - at any time used may switch back to insecure connection by typing 'http://somemaharasite/somedir/somepage.php'. This can be fixed by ensuring that $_SERVER['HTTPS'] is set when $cfg-wwwroot = 'https://...', otherwise redirecting user to the same page using https. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/685942/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 685942] Re: Possible https to http downgrade
Hello Inaki, I thought it has been fixed already, see https://reviews.mahara.org/#change,303 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/685942 Title: Possible https to http downgrade Status in Mahara ePortfolio: Fix Released Status in Mahara 1.2 series: Fix Released Status in Mahara 1.3 series: Incomplete Bug description: Interesting that with both, bug #646713 and bug #684190, we overlooked the most obvious and relatively sensitive issue. Even though $cfg-wwwroot might be set 'https://somemaharasite', depending on apache config, user may still be able to use insecure page for logging in by entering 'http://somemaharasite' in the web browser address field, then, upon logging-in, user credentials will be passed through insecure connection first, before sever respond with redirection to https secured page. This is valid for other pages after logging in - at any time used may switch back to insecure connection by typing 'http://somemaharasite/somedir/somepage.php'. This can be fixed by ensuring that $_SERVER['HTTPS'] is set when $cfg-wwwroot = 'https://...', otherwise redirecting user to the same page using https. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/685942/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 685942] Re: Possible https to http downgrade
** Changed in: mahara Status: Fix Committed = Fix Released ** Changed in: mahara Milestone: 1.4.0 = None -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/685942 Title: Possible https to http downgrade Status in Mahara ePortfolio: Fix Released Status in Mahara 1.2 series: Fix Released Status in Mahara 1.3 series: Fix Released Bug description: Interesting that with both, bug #646713 and bug #684190, we overlooked the most obvious and relatively sensitive issue. Even though $cfg-wwwroot might be set 'https://somemaharasite', depending on apache config, user may still be able to use insecure page for logging in by entering 'http://somemaharasite' in the web browser address field, then, upon logging-in, user credentials will be passed through insecure connection first, before sever respond with redirection to https secured page. This is valid for other pages after logging in - at any time used may switch back to insecure connection by typing 'http://somemaharasite/somedir/somepage.php'. This can be fixed by ensuring that $_SERVER['HTTPS'] is set when $cfg-wwwroot = 'https://...', otherwise redirecting user to the same page using https. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/685942/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 685942] Re: Possible https to http downgrade
** Changed in: mahara Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/685942 Title: Possible https to http downgrade Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.2 series: Fix Released Status in Mahara 1.3 series: Fix Released Bug description: Interesting that with both, bug #646713 and bug #684190, we overlooked the most obvious and relatively sensitive issue. Even though $cfg-wwwroot might be set 'https://somemaharasite', depending on apache config, user may still be able to use insecure page for logging in by entering 'http://somemaharasite' in the web browser address field, then, upon logging-in, user credentials will be passed through insecure connection first, before sever respond with redirection to https secured page. This is valid for other pages after logging in - at any time used may switch back to insecure connection by typing 'http://somemaharasite/somedir/somepage.php'. This can be fixed by ensuring that $_SERVER['HTTPS'] is set when $cfg-wwwroot = 'https://...', otherwise redirecting user to the same page using https. ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp