Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-5374

poor https check

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.6, 1.9, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7
    • Fix Version/s: 2.0
    • Component/s: Administration
    • Labels:
      None
    • Environment:
      All
    • Database:
      Any
    • Affected Branches:
      MOODLE_16_STABLE, MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE

      Description

      In all versions of Moodle, lib/weblib.php includes a snippet like this:

      if (isset($_SERVER['HTTPS']))

      { $protocol = ($_SERVER['HTTPS'] == 'on') ? 'https://' : 'http://'; }

      else if (isset($_SERVER['SERVER_PORT']))

      { # Apache2 does not export $_SERVER['HTTPS'] $protocol = ($_SERVER['SERVER_PORT'] == '443') ? 'https://' : 'http://'; }

      else

      { $protocol = 'http://'; }

      This doesn't work behind an SSL accelerator (an appliance that converts https: to http. A better approach:

      if (isset($_SERVER['HTTPS']))

      { $protocol = 'https://'; }

      else if (strncmp($CFG->wwwroot, 'https', 5) == 0)

      { $protocol = 'https://'; }

      else

      { $protocol = 'http://'; }

      Also, there are lots of snippets like str_replace('http','https', ...) that break if the host name accidentally includes 'http'. They must be str_replace('http:', 'https:', ...) at the least.

      A still better approach would be to use relative URL! And the default protocol must always be derived from the $CFG->wwwroot, not from $_SERVER['HTTPS'] or the port number.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                3 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  24/Nov/10