[horde] full url

Eric Rostetter eric.rostetter at physics.utexas.edu
Mon Mar 17 23:41:31 PST 2003


Quoting Chris Petersen <lists at forevermore.net>:

> I don't see how the user can get around this...
> 
> if (!$ssl) {
>     header("Location: https://whatever/");
>     exit;
> }

Go to location bar, remove the "s" and press return.  If your server is
accepting both http: and https: connections for the pages, then I can 
rewrite *most* (not all) pages this way.

Better example.  User has already bookmarked the pages when you allowed
http: connections.  Now you try to change it, but the server still 
accepts http: connections.  Every time they use their bookmark they
go to the http: page.
 
> even if the user changes the url or resubmits a modified html document,
> they still get redirected to the secure server.

Eventually, but by then the damage is already done...

> Granted, I use a bit
> more complexity to pass form variables through (if I need to and don't
> feel it's a security risk), but it's all pretty much the same thing.

What about, for example, cookie data?
 
> Now, if you were just talking about rewriting the URL's, then yes, it is
> a security risk..  But my concern isn't malicious users trying to submit
> information insecurely, it's just protecting them from themselves.

See my above bookmark issue.  Add others (like they mistype a url when
trying to enter it manually, etc).

> > I don't think use_ssl was intended to "force" ssl mode, so much as to
> > not break things when ssl was in use.  It is more to make sure the
> > protocol string and port number get set correctly when needed than
> > to enforce any policy.
> 
> you're probably right.  but with a name like use_ssl, I'd expect that
> it's telling horde to "use ssl"..  even though the code comments say
> otherwise, they're still not specific enough:
> 
> // 1 - Assume that we are using SSL and always generate https URLS.
> 
> a relative URL (which is what gets generated) is not an https url.
> thus, I'd say that it's not doing what it says it is.

It is if you read the comment line above that, which clearly says it
only applies to full urls.  Only applies to full urls obviously means
doesn't apply to relative urls.

> I'll see what I can do about patching the code to be a bit more
> auto-detecting of ssl choices, though it'll probably be awhile (too much
> overtime is being required lately).

Heh...  I guess I'd have more time if I didn't keep threads like this alive...
When are they going to start shipping the 48 hour day???

> -Chris

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!



More information about the horde mailing list