2.1.1 secure admin mixed-content blocked

[PinkElephant]

After a recent upgrade from 1.12.1 to 2.1.1 no content was showing under the Content Manager and the Design Manager's Templates & Stylesheets.

$config['admin_url'] is set as 'https://www.example.com/bespoke-name'.

It turns out that the browser was blocking insecure content, as shown by firebug for the Content Manager:

Code: Select all

Blocked loading mixed active content "http://www.example.com/modules/FileManager/js/jquery-file-upload/jquery.iframe-transport.js"
Blocked loading mixed active content "http://www.example.com/modules/FileManager/js/jquery-file-upload/jquery.fileupload.js"
Blocked loading mixed active content "http://www.example.com/modules/FileManager/js/jqueryrotate/jQueryRotate-2.2.min.js"
Blocked loading mixed active content "http://www.example.com/modules/FileManager/js/jrac/jquery.jrac.js"
Blocked loading mixed active content "http://www.example.com/modules/FileManager/js/jrac/style.jrac.css"
Blocked loading mixed active content "http://www.example.com/modules/FileManager/js/jquery-file-upload/jquery.iframe-transport.js"
Blocked loading mixed active content "http://www.example.com/modules/FileManager/js/jquery-file-upload/jquery.fileupload.js"
Blocked loading mixed active content "http://www.example.com/modules/FileManager/js/jqueryrotate/jQueryRotate-2.2.min.js"
Blocked loading mixed active content "http://www.example.com/modules/FileManager/js/jrac/jquery.jrac.js"
Blocked loading mixed active content "http://www.example.com/modules/FileManager/js/jrac/style.jrac.css"
TypeError: $(...).fileupload is not a function
	
$(thediv+'_i').fileupload({

I'm using the same setup (https admin & bespoke directory) on a fresh install of 2.0.1.1 with different results - login directs to the 'Site Admin' section (there's no configured 'Home' page) but it's not a secure connection. In this case though, all links to sub-pages return secure pages with no mixed content.

Code: Select all

Cms Version: 2.1.1

Installed Modules:

    CMSMailer: 5.2.4
    AdminSearch: 1.0
    FileManager: 1.5.2
    MenuManager: 1.50.2
    MicroTiny: 2.0.2
    ModuleManager: 2.0.1
    News: 2.50.3
    Search: 1.50.2
    ThemeManager: 1.1.8
    CGSimpleSmarty: 2.0.5
    CGExtensions: 1.51.1
    JQueryTools: 1.3.8
    CGSmartImage: 1.21
    Gallery: 2.1
    CMSContentManager: 1.1
    DesignManager: 1.1.1
    Navigator: 1.0.2
	
Config Information:

    php_memory_limit:
    max_upload_size: 10000000
    url_rewriting: mod_rewrite
    page_extension:
    query_var: page
    auto_alias_content: true
    locale:
    set_names: true
    timezone: Europe/London
    permissive_smarty: false

Php Information:

    phpversion: 5.6.17-0+deb8u1
    md5_function: On (True)
    json_function: On (True)
    gd_version: 2
    tempnam_function: On (True)
    magic_quotes_runtime: Off (False)
    E_STRICT: 0
    E_DEPRECATED: 0
    test_file_timedifference: No time difference found
    test_db_timedifference: No time difference found
    create_dir_and_file: 1
    memory_limit: 128M
    max_execution_time: 120
    register_globals: Off (False)
    output_buffering: 4096
    disable_functions: pcntl_alarm, pcntl_fork, pcntl_waitpid, pcntl_wait, pcntl_wifexited, pcntl_wifstopped, pcntl_wifsignaled, pcntl_wexitstatus, pcntl_wtermsig, pcntl_wstopsig, pcntl_signal, pcntl_signal_dispatch, pcntl_get_last_error, pcntl_strerror, pcntl_sigprocmask, pcntl_sigwaitinfo, pcntl_sigtimedwait, pcntl_exec, pcntl_getpriority, pcntl_setpriority,
    open_basedir:
    test_remote_url: Success
    file_uploads: On (True)
    post_max_size: 10M
    upload_max_filesize: 10M
    session_save_path: /var/lib/php5/sessions (1733)
    session_use_cookies: On (True)
    xml_function: On (True)
    xmlreader_class: On (True)
    check_ini_set: On (True)
    curl: On

Performance Information:

    allow_browser_cache: On (True)
    browser_cache_expiry: 60
    php_opcache: On (True)
    smarty_cache: On (True)
    smarty_compilecheck: Off (False)
    smarty_cache_udt: On (True)
    auto_clear_cache_age: On (True)

Server Information:

    Server Software: Apache
    Server Api: apache2handler
    Server Os: Linux 3.16.0-4-amd64 On x86_64
    Server Db Type: MySQL (mysqli)
    Server Db Version: 5.5.46
    Server Db Grants: Found a "GRANT ALL" statement that appears to be suitable

Permission Information:

    tmp: /srv/[example.com]/public/htdocs/tmp (0770)
    tmp_cache: /srv/[example.com]/public/htdocs/tmp/cache (0770)
    templates_c: /srv/[example.com]/public/htdocs/tmp/templates_c (0770)
    modules: /srv/[example.com]/public/htdocs/modules (0770)
    uploads: /srv/[example.com]/public/htdocs/uploads (0770)
    File Creation Mask (umask): /srv/[example.com]/public/htdocs/tmp/cache (0770)
    config_file: 0440

Just me?

[PinkElephant]

Well, I'm guessing that...

modules\FileManager\FileManager.module.php

Code: Select all

protected function _output_header_javascript()
{
    $out = '';
    $urlpath = $this->GetModuleURLPath()."/js";

... can only return an insecure url;

lib\classes\class.CMSModule.php

Code: Select all

final public function GetModuleURLPath($use_ssl=false)
{
    return ($use_ssl?$this->config['ssl_url']:CMS_ROOT_URL) . '/modules/' . $this->GetName();
}

(lib\classes\class.cms_admin_utils.php also makes a couple of parameterless calls for icons/{$img} & images/{$img})

... but if that was the case, I'd expect far more reports here. I'm now wondering if I'm misreading, or if it's unusually quiet and/or there's something whacky in my setup.

Any pointers appreciated.

[calguy1000]

This is not exactly clear to me.

Your main site is NOT using https, but your admin is configured to use https?

[PinkElephant]

Hi calguy1000

Thanks for looking.

Your main site is NOT using https, but your admin is configured to use https?

You guessed right. More specifically config.php is this:

Code: Select all

<?php

include($_SERVER['DOCUMENT_ROOT'] . '../inc/cmsms-config-private.php');

$config['root_url']  = 'http://www.example.com';
$config['ssl_url']   = 'https://www.example.com';

$config['url_rewriting'] = 'mod_rewrite';
$config['timezone'] = 'Europe/London';

... and the include file;

Code: Select all

<?php 

$config['admin_url'] = 'https://www.example.com/XXX-admin-XXX';
$config['admin_dir'] = 'XXX-admin-XXX';

$config['dbms'] = 'mysqli';
$config['db_hostname'] = '*****';
$config['db_username'] = '*****';
$config['db_password'] = '*****';
$config['db_name'] = '000';
$config['db_prefix'] = 'cms_';

$config['timezone'] = 'Europe/London';

$config['debug'] = 0;

So http:// and https:// http://www.example.com/XXX-admin-XXX land at https://www.example.com/XXX-admin-XXX/ with 'mixed content'.

Now you've asked the question, I'm thinking I can avoid the issue by setting the main site to use https only... yes, that works - and google will prefer it - but I guess not everyone has the choice.

[calguy1000]

Yes, in your case I think that can be considered a bug.
Unfortunately it isn't that easy to prepare a test for it

One of our goals for 2.2 or a little beyond is to go to protocol-less URL's in the API. so that would solve that issue.

but I'll try to find time to look into it (after 2.1.2 comes out).

[PinkElephant]

Cool. Thanks for all the great work...

[Jeff]

A work around that I have done on my sites is to remove the $config['root_url'] and $config['ssl_url'] statements in the config.php.

When they are removed CMSms will use default values which will work good in 95% of the cases.

Thanks,
Jeff