Example Apache VirtualHost Config Allows non-SSL Web Staff Connections

Bug #1522686 reported by Jason Boyer
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Fix Released

Bug Description

Eg 2.9 - master (as of 20151204)
OSRF 2.4
Others N/A

I recently built a web client installation using the provided Apache 2.4 vhost config files and pointed my browser to <site>/eg/staff. This fails because the LocationMatch directive requires that you remember to include a terminating /. (Annoying) On doing that I noticed cross-site scripting complaints in the web console because I was connected over http:// and scripts were attempting to operate on https:// resources in an iframe. I realize that these files are just examples, but the reality is that they may be used as-is and the web staff client should require or redirect to SSL connections.

I've since corrected this on my server, and will be putting a branch together to update the example configs.

Revision history for this message
Jason Boyer (jboyer) wrote :

Here lives a new branch addressing both the 2.2 and 2.4 configs:

To verify this:

Install Evergreen as usual without this patch (including the web client!) try to open both of these URLs:

The first will fail, the second will allow you to login and do whatever staff things you like, over an unencrypted connection.

Apply the above branch and re-try both URLs. You should end up at https://<server>/eg/staff/ in both cases.

Revision history for this message
Ben Shum (bshum) wrote :

Works for me. Pushed to master and backported to rel_2_9 and rel_2_8 too.

Thanks Jason!

Changed in evergreen:
status: New → Fix Committed
Changed in evergreen:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.