[fixed] 1.10 Beta3: more unencrypted data with SSL admin

The members of the Dev team will place issues here that they consider to be solved.
Post Reply
fredp
Forum Members
Forum Members
Posts: 218
Joined: Sun Jul 27, 2008 1:36 am
Location: USA

[fixed] 1.10 Beta3: more unencrypted data with SSL admin

Post by fredp »

I made a clean install of 1.10-beta3 on a server with it's own (non-shared) SSL cert. Next, I applied the patches described in this post: Re: CMSMS 1.10 Beta3 is available to track down other observed cases of unencrypted data being sent over the network during an SSL admin session. Here's a list of what I've found so far:
  1. I captured the headers from a page reload of the Extensions » MicroTiny WYSIWYG editor page and extracted a list of thirteen (unencrypted) http: URLs requested (see attached).
  2. It appears that MicroTiny init. code used by the backend during an SSL admin session also contains URLs based on $config['root_url'] rather than $config['ssl_url'].

    Code: Select all

    #grep http: /tmp/cache/mt_0f3d9d7e1635a606aa639e5d24f05R75b
                           image : 'http://example.com/modules/MicroTiny/images/cmsmslink.gif',
      document_base_url : "http://example.com/",
      var cmsURL = "http://example.com/modules/MicroTiny/filepicker.php?_sx_=0ca14680&type="+type;
Note: the site's config.php contained:

Code: Select all

$config['admin_url'] = 'https://example.org/my.admin';
$config['root_url'] = 'http://example.org';
$config['ssl_url']   = 'https://example.org';
Attachments

[The extension txt has been deactivated and can no longer be displayed.]

Nearly all men can stand adversity, but if you want to test a man's character, give him power.
- Abraham Lincoln
deactivated010521

Re: CMSMS 1.10 Beta3: more unencrypted data with SSL admin

Post by deactivated010521 »

confirmed MicroTiny calls http:// assets when $config['admin_url'] = 'https://example.org';

==

It seems that it's possible to not specify the http:// or https:// protocol in the config.php to get around this issue as:

Code: Select all

$config['root_url'] = '//example.org';
See:
http://paulirish.com/2010/the-protocol-relative-url/

I think I am going to use this in my templates for mixed (http://, https:// enviroments).
fredp
Forum Members
Forum Members
Posts: 218
Joined: Sun Jul 27, 2008 1:36 am
Location: USA

Re: CMSMS 1.10 Beta3: more unencrypted data with SSL admin

Post by fredp »

arnoud wrote:confirmed MicroTiny calls http:// assets when $config['admin_url'] = 'https://example.org';
==
It seems that it's possible to not specify the http:// or https:// protocol in the config.php to get around this issue as:
...
True. There are pros and cons to using scheme-relative URLs, just as there are to root-relative URLs, which have a slightly different set of advantages and disadvantages. Of course, absolute URLs have their own issues -- hence, this problem report. ;)

Last time I looked, root-relative ("path absolute" in RFC3986 lingo) were generally preferred, particularly in CDN situations. But, I haven't used them much with CMSMS.

One small advantage to root-relative URLs, is that they are shorter than absolute or scheme-relative URLs, since the browser is supposed to fill in the missing info (scheme, hostname, etc) from the request:

Code: Select all

$config['root_url'] = '/';
$config['uploads_url'] = '/uploads';
One good & bad thing about root-relative is that they make it a bit harder for evil website scrapers to copy your site. On the downside, this tends to mean you need a virtual host setup when working on a local web server--so the path portions of the URLs match.

But i digress... ;-)
Nearly all men can stand adversity, but if you want to test a man's character, give him power.
- Abraham Lincoln
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm
Location: Fernie British Columbia, Canada

Re: CMSMS 1.10 Beta3: more unencrypted data with SSL admin

Post by calguy1000 »

fixed in svn.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Post Reply

Return to “Closed Issues”