← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #64492

[Bug 1954958] [NEW] oauth-php not taking account of proxy setting

  Thread PreviousDate PreviousThread Next 
Public bug reported:

There is an issue getting LTI working between Moodle and Mahara in the
oauth-php library as it doesn't take Mahara's sslproxy configuration
into consideration when generating the URI for $base_string

I'd like to propose a patch for Mahara that looks something like a change on line 92 of htdocs/webservice/rest/locallib.php 
>From this...

 $this->oauth_server = new OAuthServer();

To this...

 // Instantiating OAuthServer() with get_full_script_path() ensures that
 // the locally generated signature will contain a URI using the correct
 // protocol if this server is behind an sslproxy.
 // Otherwise OAuthServer() determines the protocol based only on a
 // check for $_SERVER['HTTPS'] and signature verification will fail.
 $this->oauth_server = new OAuthServer(get_full_script_path());


Essentially the OAuthRequest() class assumes that because the web container is not using SSL directly then the request URI should be prefixed with http:// rather than https://...

$proto = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ?
'https' : 'http';

But it seems OK to instantiate OAuthServer() with a $uri to bypass this,
so that could be done in webservice_rest_server::parse_request() rather
than having to patch oauth-php directly, I think get_full_script_path()
seems OK to use for this.

** Affects: mahara
     Importance: High
         Status: Confirmed

** Changed in: mahara
   Importance: Undecided => High

** Changed in: mahara
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1954958

Title:
  oauth-php not taking account of proxy setting

Status in Mahara:
  Confirmed

Bug description:
  There is an issue getting LTI working between Moodle and Mahara in the
  oauth-php library as it doesn't take Mahara's sslproxy configuration
  into consideration when generating the URI for $base_string

  I'd like to propose a patch for Mahara that looks something like a change on line 92 of htdocs/webservice/rest/locallib.php 
  From this...

   $this->oauth_server = new OAuthServer();

  To this...

   // Instantiating OAuthServer() with get_full_script_path() ensures that
   // the locally generated signature will contain a URI using the correct
   // protocol if this server is behind an sslproxy.
   // Otherwise OAuthServer() determines the protocol based only on a
   // check for $_SERVER['HTTPS'] and signature verification will fail.
   $this->oauth_server = new OAuthServer(get_full_script_path());

  
  Essentially the OAuthRequest() class assumes that because the web container is not using SSL directly then the request URI should be prefixed with http:// rather than https://...

  $proto = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ?
  'https' : 'http';

  But it seems OK to instantiate OAuthServer() with a $uri to bypass
  this, so that could be done in webservice_rest_server::parse_request()
  rather than having to patch oauth-php directly, I think
  get_full_script_path() seems OK to use for this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1954958/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next