mahara-contributors team mailing list archive

Thread
Date

[Bug 685942] Re: Possible https to http downgrade

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Iñaki Arenaza <685942@xxxxxxxxxxxxxxxxxx>
Date: Fri, 01 Jul 2011 15:49:42 -0000
Reply-to: Bug 685942 <685942@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I didn't notice the fix was incomplete before because I was also bitten
by this Ubuntu cron bug:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/790538

Now that cronjobs are run, I've noticed that my Mahara cronjob is run
but nothing appears in the logs. I run the cronjob from the command line
using the same config you can find in the wiki, and I have just switched
to HTTPS for the whole Mahara site.

I've traced the issue to the commit for this bug, as it tries to make a
redirect to secure URLs if the wwwroot is configured for HTTPS but the
request is not done using HTTPS. When you run Mahara cron from the
command line, HTTPS is obviously not set, so init.php tries to redirect
the execution to the secured URL. But HTTP redirection doesn't work in
command line (for obvious reasons), so the execution dies inside
redirect().

We need to check if we are running in command line mode before checking
HTTPS and trying to redirect the request to the secure URL. The attached
patch (for 1.3_STABLE, that's what we are running right now) should do
the trick. I think the patch should also be applied to 1.4_STABLE and
master, but I don't have the time to test them right now.

Saludos.
Iñaki.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/685942

Title:
  Possible https to http downgrade

Status in Mahara ePortfolio:
  Fix Released
Status in Mahara 1.2 series:
  Fix Released
Status in Mahara 1.3 series:
  Incomplete

Bug description:
  Interesting that with both, bug #646713 and bug #684190, we overlooked
  the most obvious and relatively sensitive issue.

  Even though $cfg->wwwroot might be set 'https://somemaharasite',
  depending on apache config, user may still be able to use insecure
  page for logging in by entering 'http://somemaharasite' in the web
  browser address field, then, upon logging-in, user credentials will be
  passed through insecure connection first, before sever respond with
  redirection to https secured page.

  This is valid for other pages after logging in - at any time used may
  switch back to insecure connection by typing
  'http://somemaharasite/somedir/somepage.php'.

  This can be fixed by ensuring that $_SERVER['HTTPS'] is set when
  $cfg->wwwroot = 'https://...', otherwise redirecting user to the same
  page using https.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/685942/+subscriptions