https://bugzilla.wikimedia.org/show_bug.cgi?id=40679
--- Comment #20 from Chris Steipp <[email protected]> 2012-10-02 23:19:30 UTC --- (In reply to comment #19) > 2 is a bug, yes. I wonder how that happens. Where does MediaWiki produce a > redirect to HTTPS if server includes http://? That should be impossible. The change in https://gerrit.wikimedia.org/r/#/c/25530/1/includes/specials/SpecialUserlogin.php on line 152 is what does the redirect. It redirects to the output of wfExpandUrl with PROTO_HTTPS passed in. Since wfExpandUrl returns an http link, the page keeps redirecting. (In reply to comment #18) > This is imho not a bug. It is expected (and imho acceptable) behaviour. After reading up on the history of $wgServer, I tend to agree that setting $wgServer with http:// should mean that you don't have ssl available, so combining that with $wgSecureLogin = true is a conflict. I also think the codebase shouldn't have to identify and make a special case when the conflict occurs, and can assume configs are setup consistently. But, I can't think of anywhere else that we have 2 configuration parameters that can conflict to break the site, although I could definitely be wrong about that. I would prefer that when 2 configs are in conflict, and they have anything to do with security, we either put up a warning message so the admin knows that they messed up, or we assume the admin really meant to use the more secure one and we try to fix up the conflict. Is there consensus/precedence on which is preferred? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
