CMSMS 1.11.3: SSL+admin can cause admin UI problems

[fredp]

Hi Dev Team,

First, thanks for the CMSMS 1.11.3 release! Upgrade from 1.11.2.1 to 1.11.3 installed without a problem, but I had trouble when I tried using admin with SSL. So, I created a fresh 1.11.3 install with sample data to collect more information for this report.

Summary:
There remain places in the Core code that use incorrect URLs, if SSL is enabled for admin. Bug#8238 [Assets loaded as http instead of https when ssl is enabled for /admin area] seems to identify one such area, but the problems appear more widespread and can disable much of the admin UI, making it difficult to use. The severity of the problem depends on 1) the admin template being used and 2) how the user's browser handles insecure content requests over SSL.

During my tests, Firefox (16.0.2/linux) reported insecure content errors to the javascript console, yet loaded most of the insecure assets anyway, making the admin console functional and this issue less than obvious. Google Chrome (v 23.0.1271.64), while also reporting these as javascript errors, failed to load the insecure assets! Because required javascript files (e.g., jquery) fail to load, significant portions of the OneEleven admin theme UI "break" when using Chrome (e.g., sidebar navigation doesn't work). The NCleanGrey admin theme, however, does much better, with just a couple of problems.

Below are the errors reported for just some of the admin pages having problems with SSL on Chrome. Also attached are the System Information report and the config.php file.

Subset of Problems:
1) OneEleven theme: initial admin login page errors (screen cap attached)

Code: Select all

[blocked] The page at https://example.org/admin/login.php ran insecure content from http://example.org/lib/jquery/js/jquery-1.7.2.min.js.
[blocked] The page at https://example.org/admin/login.php ran insecure content from http://example.org/lib/jquery/js/jquery-ui-1.8.21.custom.min.js.
Uncaught ReferenceError: jQuery is not defined 

[/size]
2) OneEleven theme: user's (default) "Home" page, just after successful login

Code: Select all

[blocked] The page at https://example.org/admin/index.php?_sx_=d37e9b9b ran insecure content from http://example.org/lib/jquery/js/jquery-1.7.2.min.js.
[blocked] The page at https://example.org/admin/index.php?_sx_=d37e9b9b ran insecure content from http://example.org/lib/jquery/js/jquery-ui-1.8.21.custom.min.js.
[blocked] The page at https://example.org/admin/index.php?_sx_=d37e9b9b ran insecure content from http://example.org/lib/jquery/js/jquery.ui.nestedSortable-1.3.4.js.
[blocked] The page at https://example.org/admin/index.php?_sx_=d37e9b9b ran insecure content from http://example.org/lib/jquery/js/jquery.json-2.3.min.js.
[blocked] The page at https://example.org/admin/index.php?_sx_=d37e9b9b ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.iframe-transport.js.
[blocked] The page at https://example.org/admin/index.php?_sx_=d37e9b9b ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.fileupload.js.
Uncaught ReferenceError: jQuery is not defined jquery.cookie.min.js:1
Uncaught ReferenceError: jQuery is not defined standard.js:16
[blocked] The page at https://example.org/admin/index.php?_sx_=d37e9b9b ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.iframe-transport.js.
[blocked] The page at https://example.org/admin/index.php?_sx_=d37e9b9b ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.fileupload.js.
Uncaught ReferenceError: jQuery is not defined index.php:91

[/size]
3) OneEleven theme: Content > Pages

Code: Select all

[blocked] The page at https://example.org/admin/listcontent.php?_sx_=d37e9b9b ran insecure content from http://example.org/lib/jquery/js/jquery-1.7.2.min.js.
[blocked] The page at https://example.org/admin/listcontent.php?_sx_=d37e9b9b ran insecure content from http://example.org/lib/jquery/js/jquery-ui-1.8.21.custom.min.js.
[blocked] The page at https://example.org/admin/listcontent.php?_sx_=d37e9b9b ran insecure content from http://example.org/lib/jquery/js/jquery.ui.nestedSortable-1.3.4.js.
[blocked] The page at https://example.org/admin/listcontent.php?_sx_=d37e9b9b ran insecure content from http://example.org/lib/jquery/js/jquery.json-2.3.min.js.
[blocked] The page at https://example.org/admin/listcontent.php?_sx_=d37e9b9b ran insecure content from http://example.org/lib/xajax/xajax_js/xajax_core.js.
[blocked] The page at https://example.org/admin/listcontent.php?_sx_=d37e9b9b ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.iframe-transport.js.
[blocked] The page at https://example.org/admin/listcontent.php?_sx_=d37e9b9b ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.fileupload.js.
Uncaught ReferenceError: jQuery is not defined jquery.cookie.min.js:1
Uncaught ReferenceError: jQuery is not defined standard.js:16
[blocked] The page at https://example.org/admin/listcontent.php?_sx_=d37e9b9b ran insecure content from http://example.org/lib/xajax/xajax_js/xajax_core.js.
[blocked] The page at https://example.org/admin/listcontent.php?_sx_=d37e9b9b ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.iframe-transport.js.
[blocked] The page at https://example.org/admin/listcontent.php?_sx_=d37e9b9b ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.fileupload.js.
Uncaught ReferenceError: jQuery is not defined listcontent.php:133

[/size]
4) OneEleven theme: Content > File Manager

Code: Select all

[blocked][blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/lib/jquery/js/jquery-1.7.2.min.js.
[blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/lib/jquery/js/jquery-ui-1.8.21.custom.min.js.
[blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/lib/jquery/js/jquery.ui.nestedSortable-1.3.4.js.
[blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/lib/jquery/js/jquery.json-2.3.min.js.
[blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.iframe-transport.js.
[blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.fileupload.js.
[blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.iframe-transport.js.
[blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.fileupload.js.
Uncaught ReferenceError: jQuery is not defined jquery.cookie.min.js:1
Uncaught ReferenceError: jQuery is not defined standard.js:16
[blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.iframe-transport.js.
[blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.fileupload.js.
[blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.iframe-transport.js.
[blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/modules/FileManager/js/jquery-file-upload/jquery.fileupload.js.
Uncaught ReferenceError: jQuery is not defined moduleinterface.php:93
Uncaught ReferenceError: $ is not defined moduleinterface.php:248
4The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager displayed insecure content from http://example.org/modules/FileManager/icons/themes/default/extensions/32px/dir.png.
The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager displayed insecure content from http://example.org/modules/FileManager/icons/themes/default/extensions/32px/html.png.
Uncaught ReferenceError: $ is not defined moduleinterface.php:438

[/size]
5) NCleanGrey theme: Content > Pages

Code: Select all

[blocked] The page at https://example.org/admin/listcontent.php?_sx_=d37e9b9b ran insecure content from http://example.org/lib/xajax/xajax_js/xajax_core.js.

[/size]
6) NCleanGrey theme: Content > File Manager

Code: Select all

[blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/modules/Fi
leManager/js/jquery-file-upload/jquery.iframe-transport.js.
[blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/modules/Fi
leManager/js/jquery-file-upload/jquery.fileupload.js.
[blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/modules/Fi
leManager/js/jquery-file-upload/jquery.iframe-transport.js.
[blocked] The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager ran insecure content from http://example.org/modules/Fi
leManager/js/jquery-file-upload/jquery.fileupload.js.
4The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager displayed insecure content from http://example.org/modules/FileM
anager/icons/themes/default/extensions/32px/dir.png.
The page at https://example.org/admin/moduleinterface.php?_sx_=d37e9b9b&module=FileManager displayed insecure content from http://example.org/modules/FileMa
nager/icons/themes/default/extensions/32px/html.png.
Uncaught TypeError: Object [object Object] has no method 'fileupload' moduleinterface.php:371

[/size]
7) NCleanGrey theme: MicroTiny WYSIWYG editor > MicroTiny example (insert-image errors)

Code: Select all

2The page at https://example.org/admin/moduleinterface.php?mact=MicroTiny,m1_,defaultadmin,0&_sx_=d37e9b9b&m1_module_message=Settings%20saved&m1_tab=settings displayed insecure content from http://example.org/uploads/ngrey/active.gif.

[/size]
I'll be creating a new bug report and will add a link to this article.

[calguy1000]

We tackled this stuff today... I think most (if not all) of these issues will be resolved in the upcoming 1.11.4 release.

Thanks.

[fredp]

Wow! You guys are on fire.

Thanks for the rapid response!

[fredp]

Edit: Deleted post about SVN testing after I discovered a config.php error which could impact test results. Retesting now and will post results when complete.

[fredp]

Let's try this post again...

Hey Calguy1000,

Saw your request for pre-release testing of 1.11.4 from SVN. So, here's a little feedback re: this issue...

Summary: things are much better, but I found one small issue.

I pulled from SVN this afternoon and did a quick upgrade on an admin+SSL test site running 1.11.3. I used Chrome (v 23.0.1271.97) for testing as it was the pickiest of the browsers that I used for testing previously.

Config.php:

Code: Select all

$config['dbms'] = 'mysqli';
$config['db_hostname'] = 'localhost';
$config['db_username'] = 'user_cms';
$config['db_password'] = 'xxxxxxxxxxx';
$config['db_name'] = 'test_cms';
$config['db_prefix'] = 'cms_';
$config['root_url'] = 'http://1114.example.com'
$config['ssl_url']  = 'https://secure999.hostgator.com/~example/1114';
$config['admin_dir'] = 'admin';
$config['admin_url'] = 'https://secure999.hostgator.com/~example/1114/admin';

Upgrade was smooth and uneventful.
Login page looked as expected (i.e. layout is now correct!).

I tried both the NCleanGrey and OneEleven admin themes. I had to clear the browser cache to get OneEleven sidebar to work. After that, things looked normal.

Added a template--no problems.
Added a page using the new template--no problems.

Inserting an image into page content via MicroTiny image picker works, but a javascript error is reported:

Code: Select all

The page at https://secure999.hostgator.com/~example/1114/admin/editcontent.php?_sx_=544b0512&content_id=57&page= displayed insecure content from http://1114.example.com/uploads/simplex/images/cmsmadesimple-logo.png

While not critical for this release, it would still be best if images loaded securely--you wouldn't want to leak an image of the client's latest product before its official release!

Sorry I don't have the time for more extensive testing, but from the testing I was able to do, it looks pretty good.

Thanks for all your teams efforts!

Hope this helps,
fredp