Example Apache VirtualHost Config Allows non-SSL Web Staff Connections
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Undecided
|
Unassigned | ||
2.8 |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Eg 2.9 - master (as of 20151204)
OSRF 2.4
Others N/A
I recently built a web client installation using the provided Apache 2.4 vhost config files and pointed my browser to <site>/eg/staff. This fails because the LocationMatch directive requires that you remember to include a terminating /. (Annoying) On doing that I noticed cross-site scripting complaints in the web console because I was connected over http:// and scripts were attempting to operate on https:// resources in an iframe. I realize that these files are just examples, but the reality is that they may be used as-is and the web staff client should require or redirect to SSL connections.
I've since corrected this on my server, and will be putting a branch together to update the example configs.
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
Here lives a new branch addressing both the 2.2 and 2.4 configs: git.evergreen- ils.org/ ?p=working/ Evergreen. git;a=shortlog; h=refs/ heads/user/ jboyer/ lp1522686_ web_staff_ ssl
http://
To verify this:
Install Evergreen as usual without this patch (including the web client!) try to open both of these URLs:
http://<server>/eg/staff
http://<server>/eg/staff/
The first will fail, the second will allow you to login and do whatever staff things you like, over an unencrypted connection.
Apply the above branch and re-try both URLs. You should end up at https://<server>/eg/staff/ in both cases.