Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-5374

poor https check

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 2.0
    • 1.6, 1.9, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7
    • Administration
    • None
    • All
    • Any
    • MOODLE_16_STABLE, MOODLE_19_STABLE
    • MOODLE_20_STABLE

      In all versions of Moodle, lib/weblib.php includes a snippet like this:

      if (isset($_SERVER['HTTPS']))

      { $protocol = ($_SERVER['HTTPS'] == 'on') ? 'https://' : 'http://'; }

      else if (isset($_SERVER['SERVER_PORT']))

      { # Apache2 does not export $_SERVER['HTTPS'] $protocol = ($_SERVER['SERVER_PORT'] == '443') ? 'https://' : 'http://'; }

      else

      { $protocol = 'http://'; }

      This doesn't work behind an SSL accelerator (an appliance that converts https: to http. A better approach:

      if (isset($_SERVER['HTTPS']))

      { $protocol = 'https://'; }

      else if (strncmp($CFG->wwwroot, 'https', 5) == 0)

      { $protocol = 'https://'; }

      else

      { $protocol = 'http://'; }

      Also, there are lots of snippets like str_replace('http','https', ...) that break if the host name accidentally includes 'http'. They must be str_replace('http:', 'https:', ...) at the least.

      A still better approach would be to use relative URL! And the default protocol must always be derived from the $CFG->wwwroot, not from $_SERVER['HTTPS'] or the port number.

            skodak Petr Skoda
            imported Imported (Inactive)
            Nobody Nobody (Inactive)
            Votes:
            3 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.