Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-46269

Convert http embedded content to https on https sites where available

    Details

    • Testing Instructions:
      Hide

      You will need a working SSL certificate to test this. One you made yourself is fine if it works. Otherwise use ngrok.

      You will need all databases, so I recommend using https://github.com/moodlehq/moodle-docker

      Note throughout this test that only embedded content needs to be converted. Actual links to pages should be left alone.

      Before you start, add the following to your config.php

      $CFG->forced_plugin_settings['tool_httpsreplace'] = ["renames" => json_encode(["www.example.com" => "secure.example.com"])];
      

      Test on MySQL, Postgres, Oracle and MSSQL

      1. Start with your instance with HTTP in the wwwroot
      2. Somewhere in your instance (e.g. in a course description), embed some pieces of http content
        1. One that also has https (so it can be upgraded later) example: <img src="http://download.moodle.org/unittest/test.jpg">
        2. One from example.com to test the renaming <img src="http://www.example.com/test.png">
        3. One from a made up site (so the https check fails). E.g. <object data="http://intentionally.unavailable/test.swf">
        4. Copy the URL of an image on the current site (making sure it's http) and embed it in your instance E.g <image src="http://yourmoodleurlhere/test.png">
      3. Go to Site Administration > Security > HTTP Security > HTTPS conversion tool (Near the bottom)
        1. Make sure intentionally.unavailable appears in the problematic domains
      4. Tick "I understand the risks"
      5. Click "Yes, do it!"
      6. Wait for the operation to complete. You should see both the problematic domain and the working domain get replaced, but not the embeded image from your instance
        1. Check that the images work and use atto source edit to check that the urls used https.*
        2. Check that the example.com one is now secure.example.com
        3. Make sure the image embedded from your instance works and was NOT changed to https
      7. Change your wwwroot to https (the embedded image from your moodle instance should now break)
      8. Run the conversion tool again via the interface
        1. Make sure the embedded image from your moodle instance is now changed
      9. We are going to do the same test again, but now with the CLI tools
      10. Put HTTP back in the wwwroot of your instance
      11. Somewhere in your instance (e.g. in a course description), embed some pieces of http content
        1. One that also has https (so it can be upgraded later) example: <img src="http://download.moodle.org/unittest/test.jpg">
        2. One from example.com to test the renaming <img src="http://www.example.com/test.png">
        3. One from a made up site (so the https check fails). E.g. <object data="http://intentionally.unavailable/test.swf">
        4. Copy the URL of an image on the current site (making sure it's http) and embed it in your instance E.g <image src="http://yourmoodleurlhere/test.png">
      12. Run php admin/tool/httpsreplace/cli/url_replace.php -l to check what domains first
        1. Make sure intentionally.unavailable appears in the problematic domains csv shown
      13. Run php admin/tool/httpsreplace/cli/url_replace.php -r --confirm You should see both the problematic domain and the working domain get replaced, but not the embeded image from your instance
        1. Check that the images work and use atto source edit to check that the urls used https
        2. Check that the example.com one is now secure.example.com
        3. Make sure the image embedded from your instance works and was NOT changed to https
      14. Change your wwwroot to https (the embedded image from your moodle instance should now break)
      15. Run the conversion tool again via the interface
        1. Make sure the embedded image from your moodle instance is now changed
      Show
      You will need a working SSL certificate to test this. One you made yourself is fine if it works. Otherwise use ngrok. You will need all databases, so I recommend using https://github.com/moodlehq/moodle-docker Note throughout this test that only embedded content needs to be converted. Actual links to pages should be left alone. Before you start, add the following to your config.php $CFG->forced_plugin_settings['tool_httpsreplace'] = ["renames" => json_encode(["www.example.com" => "secure.example.com"])]; Test on MySQL, Postgres, Oracle and MSSQL Start with your instance with HTTP in the wwwroot Somewhere in your instance (e.g. in a course description), embed some pieces of http content One that also has https (so it can be upgraded later) example: <img src="http://download.moodle.org/unittest/test.jpg"> One from example.com to test the renaming <img src="http://www.example.com/test.png"> One from a made up site (so the https check fails). E.g. <object data="http://intentionally.unavailable/test.swf"> Copy the URL of an image on the current site (making sure it's http) and embed it in your instance E.g <image src="http://yourmoodleurlhere/test.png"> Go to Site Administration > Security > HTTP Security > HTTPS conversion tool (Near the bottom) Make sure intentionally.unavailable appears in the problematic domains Tick "I understand the risks" Click "Yes, do it!" Wait for the operation to complete. You should see both the problematic domain and the working domain get replaced, but not the embeded image from your instance Check that the images work and use atto source edit to check that the urls used https.* Check that the example.com one is now secure.example.com Make sure the image embedded from your instance works and was NOT changed to https Change your wwwroot to https (the embedded image from your moodle instance should now break) Run the conversion tool again via the interface Make sure the embedded image from your moodle instance is now changed We are going to do the same test again, but now with the CLI tools Put HTTP back in the wwwroot of your instance Somewhere in your instance (e.g. in a course description), embed some pieces of http content One that also has https (so it can be upgraded later) example: <img src="http://download.moodle.org/unittest/test.jpg"> One from example.com to test the renaming <img src="http://www.example.com/test.png"> One from a made up site (so the https check fails). E.g. <object data="http://intentionally.unavailable/test.swf"> Copy the URL of an image on the current site (making sure it's http) and embed it in your instance E.g <image src="http://yourmoodleurlhere/test.png"> Run php admin/tool/httpsreplace/cli/url_replace.php -l to check what domains first Make sure intentionally.unavailable appears in the problematic domains csv shown Run php admin/tool/httpsreplace/cli/url_replace.php -r --confirm You should see both the problematic domain and the working domain get replaced, but not the embeded image from your instance Check that the images work and use atto source edit to check that the urls used https Check that the example.com one is now secure.example.com Make sure the image embedded from your instance works and was NOT changed to https Change your wwwroot to https (the embedded image from your moodle instance should now break) Run the conversion tool again via the interface Make sure the embedded image from your moodle instance is now changed
    • Affected Branches:
      MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_34_STABLE
    • Pull Master Branch:
      wip-MDL-46269-master
    • Story Points (Obsolete):
      100
    • Sprint:
      3.4 Sprint 5

      Description

      This could be a once off thing (e.g. when someone changes from http to https and back) or a constant thing (whenever they add a link)

      Note that apache server can be configured to choose http or https automatically, and other servers may have similar functionality.

      The protocol relative url option can be considered as well. "//www.example.com" will link to https://www.example.com if you are on https://moodle.org or http://www.example.com if you are on http://moodle.org

      Finally, a filter could be made.

      Filter attempt: https://github.com/xow/moodle/compare/27466d7548de99cbb050027acc3e809ce49ad2e9...MDL-46269-master-filter

        Gliffy Diagrams

          Attachments

          1. 0001-MDL-46269-Filters-Add-externalprotocol-filter-to-con.patch
            17 kB
          2. adminsettings.png
            adminsettings.png
            249 kB
          3. screenshot-1.png
            screenshot-1.png
            132 kB
          4. screenshot-2.png
            screenshot-2.png
            126 kB
          5. screenshot-3.png
            screenshot-3.png
            40 kB
          6. screenshot-4.png
            screenshot-4.png
            110 kB

            Issue Links

              Activity

                People

                • Votes:
                  18 Vote for this issue
                  Watchers:
                  34 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    13/Nov/17