mahara-contributors team mailing list archive

Thread
Date

[Bug 646713] Re: js config.wwwroot ignores httpswwwroot

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Iñaki Arenaza <646713@xxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Dec 2010 00:16:37 -0000
Reply-to: Bug 646713 <646713@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

As Andrew points out, due to the way we deal with logins (at the same
URL with a transitent content, instead of using a round trip to a
different login URL like Moodle does), it's completely impossible to
make the Ajax based login work with it (the Javascript security model
forbids it, as it's clearly a XSS).

I talked about this with Nigel when I developed the patch, and he
thought the feature was still valuable (and demanded[*]) even if we
didn't protect the ajax based logins, so that's why it got in.

On the other hand, I don't think httpswwwroot could break mnet certs. We
don't use httpswwwroot for anything touching mnet at all (if I'm not
mistaken), only for local logins, and only for the login process itself
(so exports shouldn't be affected either).

I guess we are not going to change the way logins are handled, so this
is a bit of a dead end.

[*] Many people don't need or aren't interested in protecting the
contents of their Mahara site, but they need to protect their usernames
and passwords (e.g., they may be using their LDAP credentials, that are
reused in other more security-sensitive environments). And running the
whole site on SSL just to protect logins is overkill IMHO (and quite a
CPU burden if your site is used more than occasionally, even if CPUs
have gotten better at crypto).

Saludos.
Iñaki.

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/646713

Title:
js config.wwwroot ignores httpswwwroot

Status in Mahara ePortfolio:
Confirmed

Bug description:
Originally reported in http://mahara.org/interaction/forum/topic.php?id=1746

If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets.
If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot.
If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files.

This is *only* a problem when visiting over https and the wwwroot is set to http. The only place I can see where we actively pass users from http to https is the account settings page. That said, users can visit the httpswwwroot instead of the wwwroot and will see this on any page that they visit (until they click a link that is...).

I've marked this a security bug for the moment until someone else has had a look.
I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot.

Andrew