Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-5374

poor https check

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 1.6, 1.9, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7
    • 2.0
    • Administration
    • None
    • All
    • Any
    • MOODLE_16_STABLE, MOODLE_19_STABLE
    • MOODLE_20_STABLE

    Description

      In all versions of Moodle, lib/weblib.php includes a snippet like this:

      if (isset($_SERVER['HTTPS']))

      { $protocol = ($_SERVER['HTTPS'] == 'on') ? 'https://' : 'http://'; }

      else if (isset($_SERVER['SERVER_PORT']))

      { # Apache2 does not export $_SERVER['HTTPS'] $protocol = ($_SERVER['SERVER_PORT'] == '443') ? 'https://' : 'http://'; }

      else

      { $protocol = 'http://'; }

      This doesn't work behind an SSL accelerator (an appliance that converts https: to http. A better approach:

      if (isset($_SERVER['HTTPS']))

      { $protocol = 'https://'; }

      else if (strncmp($CFG->wwwroot, 'https', 5) == 0)

      { $protocol = 'https://'; }

      else

      { $protocol = 'http://'; }

      Also, there are lots of snippets like str_replace('http','https', ...) that break if the host name accidentally includes 'http'. They must be str_replace('http:', 'https:', ...) at the least.

      A still better approach would be to use relative URL! And the default protocol must always be derived from the $CFG->wwwroot, not from $_SERVER['HTTPS'] or the port number.

      Attachments

        Issue Links

          Activity

            People

              skodak Petr Skoda
              imported Imported
              Nobody Nobody
              Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Stevani Andolo
              Votes:
              3 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                24/Nov/10