Fossil SCM

An HTTPS upgrade redirect loop now is broken and gives a warning. The "-nossl" is no longer the default on "fossil server". Warning messages are provided when trying to log in via an insecure connection.

drh 2018-02-16 16:16 trunk

Commit 61733824bbf5414725fb445f077330892b93b52a1ed9d7cbd10c1be260c4f629

Parent f2231ba6684157d…

2 files changed +30 -3 -3

~ src/login.c ~ src/main.c

M src/login.c

+30 -3

		--- src/login.c
		+++ src/login.c
		@@ -502,14 +502,28 @@
502	502	const char *zReferer;
503	503
504	504	login_check_credentials();
505	505	if( login_wants_https_redirect() ){
506	506	const char *zQS = P("QUERY_STRING");
	507	+ if( P("redir")!=0 \|\| g.sslNotAvailable ){
	508	+ style_header("Insecure Connection");
	509	+ @ <h1>Unable To Establish An Encrypted Connection</h1>
	510	+ @ <p>This website requires that login credentials be sent over
	511	+ @ an encrypted connection. The current connection, however, is
	512	+ @ is not encrypted all the way from your browser to the server.
	513	+ @ A prior attempt was made to redirect to %h(g.zHttpsURL) but
	514	+ @ the connection is still insecure even after the redirect.</p>
	515	+ @ <p>This is probably some kind of configuration problem. Please
	516	+ @ contact your sysadmin.</p>
	517	+ @ <p>Sorry it didn't work out.</p>
	518	+ style_footer();
	519	+ return;
	520	+ }
507	521	if( zQS==0 ){
508		- zQS = "";
	522	+ zQS = "?redir=1";
509	523	}else if( zQS[0]!=0 ){
510		- zQS = mprintf("?%s", zQS);
	524	+ zQS = mprintf("?%s&redir=1", zQS);
511	525	}
512	526	cgi_redirectf("%s%s%s", g.zHttpsURL, P("PATH_INFO"), zQS);
513	527	return;
514	528	}
515	529	sqlite3_create_function(g.db, "constant_time_cmp", 2, SQLITE_UTF8, 0,
		@@ -661,10 +675,23 @@
661	675	@ <td class="login_out_label">User ID:</td>
662	676	if( anonFlag ){
663	677	@ <td><input type="text" id="u" name="u" value="anonymous" size="30" /></td>
664	678	}else{
665	679	@ <td><input type="text" id="u" name="u" value="" size="30" /></td>
	680	+ }
	681	+ if( P("HTTPS")==0 ){
	682	+ @ <td width="15"><td rowspan="3">
	683	+ @ <p class='securityWarning'>
	684	+ @ Warning: Your password will be sent in the clear over an
	685	+ @ unencrypted connection.
	686	+ if( g.sslNotAvailable ){
	687	+ @ No encrypted connection is available on this server.
	688	+ }else{
	689	+ @ Consider logging in at
	690	+ @ <a href='%s(g.zHttpsURL)'>%h(g.zHttpsURL)</a> instead.
	691	+ }
	692	+ @ </p>
666	693	}
667	694	@ </tr>
668	695	@ <tr>
669	696	@ <td class="login_out_label">Password:</td>
670	697	@ <td><input type="password" id="p" name="p" value="" size="30" /></td>
		@@ -1337,11 +1364,11 @@
1337	1364	{
1338	1365	const char *zUrl = PD("REQUEST_URI", "index");
1339	1366	const char *zQS = P("QUERY_STRING");
1340	1367	Blob redir;
1341	1368	blob_init(&redir, 0, 0);
1342		- if( login_wants_https_redirect() ){
	1369	+ if( login_wants_https_redirect() && !g.sslNotAvailable ){
1343	1370	blob_appendf(&redir, "%s/login?g=%T", g.zHttpsURL, zUrl);
1344	1371	}else{
1345	1372	blob_appendf(&redir, "%R/login?g=%T", zUrl);
1346	1373	}
1347	1374	if( anonOk ) blob_append(&redir, "&anon", 5);
1348	1375

	--- src/login.c
	+++ src/login.c
	@@ -502,14 +502,28 @@
502	const char *zReferer;
503
504	login_check_credentials();
505	if( login_wants_https_redirect() ){
506	const char *zQS = P("QUERY_STRING");














507	if( zQS==0 ){
508	zQS = "";
509	}else if( zQS[0]!=0 ){
510	zQS = mprintf("?%s", zQS);
511	}
512	cgi_redirectf("%s%s%s", g.zHttpsURL, P("PATH_INFO"), zQS);
513	return;
514	}
515	sqlite3_create_function(g.db, "constant_time_cmp", 2, SQLITE_UTF8, 0,
	@@ -661,10 +675,23 @@
661	@ <td class="login_out_label">User ID:</td>
662	if( anonFlag ){
663	@ <td><input type="text" id="u" name="u" value="anonymous" size="30" /></td>
664	}else{
665	@ <td><input type="text" id="u" name="u" value="" size="30" /></td>













666	}
667	@ </tr>
668	@ <tr>
669	@ <td class="login_out_label">Password:</td>
670	@ <td><input type="password" id="p" name="p" value="" size="30" /></td>
	@@ -1337,11 +1364,11 @@
1337	{
1338	const char *zUrl = PD("REQUEST_URI", "index");
1339	const char *zQS = P("QUERY_STRING");
1340	Blob redir;
1341	blob_init(&redir, 0, 0);
1342	if( login_wants_https_redirect() ){
1343	blob_appendf(&redir, "%s/login?g=%T", g.zHttpsURL, zUrl);
1344	}else{
1345	blob_appendf(&redir, "%R/login?g=%T", zUrl);
1346	}
1347	if( anonOk ) blob_append(&redir, "&anon", 5);
1348

	--- src/login.c
	+++ src/login.c
	@@ -502,14 +502,28 @@
502	const char *zReferer;
503
504	login_check_credentials();
505	if( login_wants_https_redirect() ){
506	const char *zQS = P("QUERY_STRING");
507	if( P("redir")!=0 \|\| g.sslNotAvailable ){
508	style_header("Insecure Connection");
509	@ <h1>Unable To Establish An Encrypted Connection</h1>
510	@ <p>This website requires that login credentials be sent over
511	@ an encrypted connection. The current connection, however, is
512	@ is not encrypted all the way from your browser to the server.
513	@ A prior attempt was made to redirect to %h(g.zHttpsURL) but
514	@ the connection is still insecure even after the redirect.</p>
515	@ <p>This is probably some kind of configuration problem. Please
516	@ contact your sysadmin.</p>
517	@ <p>Sorry it didn't work out.</p>
518	style_footer();
519	return;
520	}
521	if( zQS==0 ){
522	zQS = "?redir=1";
523	}else if( zQS[0]!=0 ){
524	zQS = mprintf("?%s&redir=1", zQS);
525	}
526	cgi_redirectf("%s%s%s", g.zHttpsURL, P("PATH_INFO"), zQS);
527	return;
528	}
529	sqlite3_create_function(g.db, "constant_time_cmp", 2, SQLITE_UTF8, 0,
	@@ -661,10 +675,23 @@
675	@ <td class="login_out_label">User ID:</td>
676	if( anonFlag ){
677	@ <td><input type="text" id="u" name="u" value="anonymous" size="30" /></td>
678	}else{
679	@ <td><input type="text" id="u" name="u" value="" size="30" /></td>
680	}
681	if( P("HTTPS")==0 ){
682	@ <td width="15"><td rowspan="3">
683	@ <p class='securityWarning'>
684	@ Warning: Your password will be sent in the clear over an
685	@ unencrypted connection.
686	if( g.sslNotAvailable ){
687	@ No encrypted connection is available on this server.
688	}else{
689	@ Consider logging in at
690	@ <a href='%s(g.zHttpsURL)'>%h(g.zHttpsURL)</a> instead.
691	}
692	@ </p>
693	}
694	@ </tr>
695	@ <tr>
696	@ <td class="login_out_label">Password:</td>
697	@ <td><input type="password" id="p" name="p" value="" size="30" /></td>
	@@ -1337,11 +1364,11 @@
1364	{
1365	const char *zUrl = PD("REQUEST_URI", "index");
1366	const char *zQS = P("QUERY_STRING");
1367	Blob redir;
1368	blob_init(&redir, 0, 0);
1369	if( login_wants_https_redirect() && !g.sslNotAvailable ){
1370	blob_appendf(&redir, "%s/login?g=%T", g.zHttpsURL, zUrl);
1371	}else{
1372	blob_appendf(&redir, "%R/login?g=%T", zUrl);
1373	}
1374	if( anonOk ) blob_append(&redir, "&anon", 5);
1375

M src/main.c

-3

		--- src/main.c
		+++ src/main.c
		@@ -2500,13 +2500,10 @@
2500	2500	set_base_url(zAltBase);
2501	2501	}
2502	2502	g.sslNotAvailable = find_option("nossl", 0, 0)!=0;
2503	2503	if( find_option("https",0,0)!=0 ){
2504	2504	cgi_replace_parameter("HTTPS","on");
2505		- }else{
2506		- /* without --https, defaults to not available. */
2507		- g.sslNotAvailable = 1;
2508	2505	}
2509	2506	if( find_option("localhost", 0, 0)!=0 ){
2510	2507	flags \|= HTTP_SERVER_LOCALHOST;
2511	2508	}
2512	2509
2513	2510

	--- src/main.c
	+++ src/main.c
	@@ -2500,13 +2500,10 @@
2500	set_base_url(zAltBase);
2501	}
2502	g.sslNotAvailable = find_option("nossl", 0, 0)!=0;
2503	if( find_option("https",0,0)!=0 ){
2504	cgi_replace_parameter("HTTPS","on");
2505	}else{
2506	/* without --https, defaults to not available. */
2507	g.sslNotAvailable = 1;
2508	}
2509	if( find_option("localhost", 0, 0)!=0 ){
2510	flags \|= HTTP_SERVER_LOCALHOST;
2511	}
2512
2513

	--- src/main.c
	+++ src/main.c
	@@ -2500,13 +2500,10 @@
2500	set_base_url(zAltBase);
2501	}
2502	g.sslNotAvailable = find_option("nossl", 0, 0)!=0;
2503	if( find_option("https",0,0)!=0 ){
2504	cgi_replace_parameter("HTTPS","on");



2505	}
2506	if( find_option("localhost", 0, 0)!=0 ){
2507	flags \|= HTTP_SERVER_LOCALHOST;
2508	}
2509
2510

Fossil SCM

Keyboard Shortcuts