[horde] full url

[Chris Petersen]

> If using apache, see the IMP list archives.  Comes up from time to time.  
> If using something else, then you'd need to say what it is in order to
> get any help.

thanks, I'll poke around.

> > if not ssl then redirect to ssl url...
>
> Yes, and I recommend you use that same logic, but in the web server. 
> Then the user can't get around it.

I don't see how the user can get around this...

if (!$ssl) {
    header("Location: https://whatever/");
    exit;
}

even if the user changes the url or resubmits a modified html document,
they still get redirected to the secure server.  Granted, I use a bit
more complexity to pass form variables through (if I need to and don't
feel it's a security risk), but it's all pretty much the same thing.

Now, if you were just talking about rewriting the URL's, then yes, it is
a security risk..  But my concern isn't malicious users trying to submit
information insecurely, it's just protecting them from themselves.

> I don't think use_ssl was intended to "force" ssl mode, so much as to
> not break things when ssl was in use.  It is more to make sure the
> protocol string and port number get set correctly when needed than
> to enforce any policy.

you're probably right.  but with a name like use_ssl, I'd expect that
it's telling horde to "use ssl"..  even though the code comments say
otherwise, they're still not specific enough:

// 1 - Assume that we are using SSL and always generate https URLS.

a relative URL (which is what gets generated) is not an https url. 
thus, I'd say that it's not doing what it says it is.

I'll see what I can do about patching the code to be a bit more
auto-detecting of ssl choices, though it'll probably be awhile (too much
overtime is being required lately).

-Chris