Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 1.6, 1.9, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7
-
Fix Version/s: 2.0
-
Component/s: Administration
-
Labels:None
-
Environment:All
-
Database:Any
-
Affected Branches:MOODLE_16_STABLE, MOODLE_19_STABLE
-
Fixed Branches:MOODLE_20_STABLE
Description
In all versions of Moodle, lib/weblib.php includes a snippet like this:
if (isset($_SERVER['HTTPS']))
{ $protocol = ($_SERVER['HTTPS'] == 'on') ? 'https://' : 'http://'; }else if (isset($_SERVER['SERVER_PORT']))
{ # Apache2 does not export $_SERVER['HTTPS'] $protocol = ($_SERVER['SERVER_PORT'] == '443') ? 'https://' : 'http://'; }else
{ $protocol = 'http://'; }This doesn't work behind an SSL accelerator (an appliance that converts https: to http
. A better approach:
if (isset($_SERVER['HTTPS']))
{ $protocol = 'https://'; }else if (strncmp($CFG->wwwroot, 'https', 5) == 0)
{ $protocol = 'https://'; }else
{ $protocol = 'http://'; }Also, there are lots of snippets like str_replace('http','https', ...) that break if the host name accidentally includes 'http'. They must be str_replace('http:', 'https:', ...) at the least.
A still better approach would be to use relative URL! And the default protocol must always be derived from the $CFG->wwwroot, not from $_SERVER['HTTPS'] or the port number.
Attachments
Issue Links
- has been marked as being related by
-
MDL-17754 Session improvements and related rewrites
-
- Closed
-