Removal of httpswwwroot
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Ruslan Kabalin |
Bug Description
Originally reported in http://
If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets.
If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot.
If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files.
This is *only* a problem when visiting over https and the wwwroot is set to http. The only place I can see where we actively pass users from http to https is the account settings page. That said, users can visit the httpswwwroot instead of the wwwroot and will see this on any page that they visit (until they click a link that is...).
I've marked this a security bug for the moment until someone else has had a look.
I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot.
Andrew
tags: | added: https |
Changed in mahara: | |
assignee: | nobody → Ruslan Kabalin (ruslan-kabalin) |
summary: |
- js config.wwwroot ignores httpswwwroot + Removal of httpswwwroot |
Changed in mahara: | |
status: | Confirmed → In Progress |
Changed in mahara: | |
status: | In Progress → Fix Committed |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
This patch may provide a potential solution but may also break things horribly - haven't had a chance to fully check. It may cause issues with exports with links to files included in the export (e.g. not being re-written correctly). It's also rather heavy weight.