oauth-php not taking account of proxy setting

Bug #1954958 reported by Robert Lyon
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

There is an issue getting LTI working between Moodle and Mahara in the oauth-php library as it doesn't take Mahara's sslproxy configuration into consideration when generating the URI for $base_string

I'd like to propose a patch for Mahara that looks something like a change on line 92 of htdocs/webservice/rest/locallib.php
From this...

 $this->oauth_server = new OAuthServer();

To this...

 // Instantiating OAuthServer() with get_full_script_path() ensures that
 // the locally generated signature will contain a URI using the correct
 // protocol if this server is behind an sslproxy.
 // Otherwise OAuthServer() determines the protocol based only on a
 // check for $_SERVER['HTTPS'] and signature verification will fail.
 $this->oauth_server = new OAuthServer(get_full_script_path());

Essentially the OAuthRequest() class assumes that because the web container is not using SSL directly then the request URI should be prefixed with http:// rather than https://...

$proto = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http';

But it seems OK to instantiate OAuthServer() with a $uri to bypass this, so that could be done in webservice_rest_server::parse_request() rather than having to patch oauth-php directly, I think get_full_script_path() seems OK to use for this.

Robert Lyon (robertl-9)
Changed in mahara:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "main" branch: https://reviews.mahara.org/12303

Changed in mahara:
status: Confirmed → In Progress
milestone: none → 22.04.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers