• twitter image
  • facebook image
  • youtube image
  • linkedin image
Language: CMS Made Simple Czech CMS Made Simple France CMS Made Simple Spain CMS Made Simple Hungary CMS Made Simple Russia CMS Made Simple Netherlands

All times are UTC




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: [fixed] 1.10 Beta3: more unencrypted data with SSL admin
PostPosted: Wed Sep 21, 2011 11:18 am 
Offline
Forum Members
Forum Members
User avatar

Joined: Sun Jul 27, 2008 1:36 am
Posts: 218
Location: USA
I made a clean install of 1.10-beta3 on a server with it's own (non-shared) SSL cert. Next, I applied the patches described in this post: Re: CMSMS 1.10 Beta3 is available to track down other observed cases of unencrypted data being sent over the network during an SSL admin session. Here's a list of what I've found so far:

  1. I captured the headers from a page reload of the Extensions » MicroTiny WYSIWYG editor page and extracted a list of thirteen (unencrypted) http: URLs requested (see attached).
  2. It appears that MicroTiny init. code used by the backend during an SSL admin session also contains URLs based on $config['root_url'] rather than $config['ssl_url'].
    Code:
    #grep http: /tmp/cache/mt_0f3d9d7e1635a606aa639e5d24f05R75b
                           image : 'http://example.com/modules/MicroTiny/images/cmsmslink.gif',
      document_base_url : "http://example.com/",
      var cmsURL = "http://example.com/modules/MicroTiny/filepicker.php?_sx_=0ca14680&type="+type;

Note: the site's config.php contained:
Code:
$config['admin_url'] = 'https://example.org/my.admin';
$config['root_url'] = 'http://example.org';
$config['ssl_url']   = 'https://example.org';


Attachments:
File comment: HTTP URLs requested during page reload of Extensions » MicroTiny WYSIWYG editor during SSL admin session.
beta3_ext_microtiny_http.txt [1005 Bytes]
Downloaded 156 times

_________________
Nearly all men can stand adversity, but if you want to test a man's character, give him power.
- Abraham Lincoln
Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: CMSMS 1.10 Beta3: more unencrypted data with SSL admin
PostPosted: Fri Sep 30, 2011 1:57 pm 
Offline
Power Poster
Power Poster

Joined: Sun Apr 19, 2009 9:33 am
Posts: 1376
confirmed MicroTiny calls http:// assets when $config['admin_url'] = 'https://example.org';

==

It seems that it's possible to not specify the http:// or https:// protocol in the config.php to get around this issue as:

Code:
$config['root_url'] = '//example.org';


See:
http://paulirish.com/2010/the-protocol-relative-url/

I think I am going to use this in my templates for mixed (http://, https:// enviroments).

_________________
The CMSMS Builder is a tool to help you develop and optimize CMS Made Simple >= 2.2.3 themes, it is made by a developer for developers.

I you like an automated file based work-flow this project might be for you. It is usable to kick-start a new CMSMS project or it can be applied to existing ones.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: CMSMS 1.10 Beta3: more unencrypted data with SSL admin
PostPosted: Fri Sep 30, 2011 10:19 pm 
Offline
Forum Members
Forum Members
User avatar

Joined: Sun Jul 27, 2008 1:36 am
Posts: 218
Location: USA
arnoud wrote:
confirmed MicroTiny calls http:// assets when $config['admin_url'] = 'https://example.org';
==
It seems that it's possible to not specify the http:// or https:// protocol in the config.php to get around this issue as:
...

True. There are pros and cons to using scheme-relative URLs, just as there are to root-relative URLs, which have a slightly different set of advantages and disadvantages. Of course, absolute URLs have their own issues -- hence, this problem report. ;)

Last time I looked, root-relative ("path absolute" in RFC3986 lingo) were generally preferred, particularly in CDN situations. But, I haven't used them much with CMSMS.

One small advantage to root-relative URLs, is that they are shorter than absolute or scheme-relative URLs, since the browser is supposed to fill in the missing info (scheme, hostname, etc) from the request:
Code:
$config['root_url'] = '/';
$config['uploads_url'] = '/uploads';
One good & bad thing about root-relative is that they make it a bit harder for evil website scrapers to copy your site. On the downside, this tends to mean you need a virtual host setup when working on a local web server--so the path portions of the URLs match.

But i digress... ;-)

_________________
Nearly all men can stand adversity, but if you want to test a man's character, give him power.
- Abraham Lincoln


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: CMSMS 1.10 Beta3: more unencrypted data with SSL admin
PostPosted: Sun Oct 09, 2011 2:38 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Tue Oct 19, 2004 6:44 pm
Posts: 8158
Location: Fernie British Columbia, Canada
fixed in svn.

_________________
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Hosting Nation - Managed CMSMS Hosting