Example Apache VirtualHost Config Allows non-SSL Web Staff Connections
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Evergreen |
Fix Released
|
Undecided
|
Unassigned | ||
| 2.8 |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Eg 2.9 - master (as of 20151204)
OSRF 2.4
Others N/A
I recently built a web client installation using the provided Apache 2.4 vhost config files and pointed my browser to <site>/eg/staff. This fails because the LocationMatch directive requires that you remember to include a terminating /. (Annoying) On doing that I noticed cross-site scripting complaints in the web console because I was connected over http:// and scripts were attempting to operate on https:// resources in an iframe. I realize that these files are just examples, but the reality is that they may be used as-is and the web staff client should require or redirect to SSL connections.
I've since corrected this on my server, and will be putting a branch together to update the example configs.
| Jason Boyer (jboyer) wrote | #1 |
| Ben Shum (bshum) wrote | #2 |
| Changed in evergreen: | |
| status: | New → Fix Committed |
| Changed in evergreen: | |
| status: | Fix Committed → Fix Released |
Here lives a new branch addressing both the 2.2 and 2.4 configs:
http://
To verify this:
Install Evergreen as usual without this patch (including the web client!) try to open both of these URLs:
http://<server>/eg/staff
http://<server>/eg/staff/
The first will fail, the second will allow you to login and do whatever staff things you like, over an unencrypted connection.
Apply the above branch and re-try both URLs. You should end up at https://<server>/eg/staff/ in both cases.