mahara-contributors team mailing list archive

Thread
Date

[Bug 1954958] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1954958@xxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Feb 2022 23:42:46 -0000
Reply-to: Bug 1954958 <1954958@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/12303
Committed: https://git.mahara.org/mahara/mahara/commit/d3087a72252837f832c3153f3fc6331ad3159b98
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    main

commit d3087a72252837f832c3153f3fc6331ad3159b98
Author: Dale Davies <dale.davies@xxxxxxxxxxxxxxx>
Date:   Thu Dec 16 14:59:47 2021 +1300

Bug 1954958: Adjusting oauth to work better with sslproxy

Change-Id: I1686c74c1639ad120c9d806111225c714447938e
Signed-off-by: Robert Lyon <robertl@xxxxxxxxxxxxxxx>

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1954958

Title:
  oauth-php not taking account of proxy setting

Status in Mahara:
  Fix Committed

Bug description:
  There is an issue getting LTI working between Moodle and Mahara in the
  oauth-php library as it doesn't take Mahara's sslproxy configuration
  into consideration when generating the URI for $base_string

  I'd like to propose a patch for Mahara that looks something like a change on line 92 of htdocs/webservice/rest/locallib.php 
  From this...

   $this->oauth_server = new OAuthServer();

  To this...

   // Instantiating OAuthServer() with get_full_script_path() ensures that
   // the locally generated signature will contain a URI using the correct
   // protocol if this server is behind an sslproxy.
   // Otherwise OAuthServer() determines the protocol based only on a
   // check for $_SERVER['HTTPS'] and signature verification will fail.
   $this->oauth_server = new OAuthServer(get_full_script_path());

  
  Essentially the OAuthRequest() class assumes that because the web container is not using SSL directly then the request URI should be prefixed with http:// rather than https://...

  $proto = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ?
  'https' : 'http';

  But it seems OK to instantiate OAuthServer() with a $uri to bypass
  this, so that could be done in webservice_rest_server::parse_request()
  rather than having to patch oauth-php directly, I think
  get_full_script_path() seems OK to use for this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1954958/+subscriptions

References

[Bug 1954958] [NEW] oauth-php not taking account of proxy setting
From: Robert Lyon, 2021-12-15