Fix random replacement of http with https in resources (issue #3599) #3808
Conversation
|
once this PR has been included, I'll have a look to update texts of the resource files. |
| case "url": | ||
| propertyNotFound = false; | ||
| result = PropertyAccess.FormatString(PortalAlias.HTTPAlias, format); | ||
| break; | ||
| case "fullurl": //return portal alias with protocol | ||
| case "fullurl": //return portal alias with protocol - note this depends on HttpContext |
There was a problem hiding this comment.
Does PortalAlias.HTTPAlias depend on HttpContext? I think if you use the PortalSettings constructor that takes a PortalAliasInfo, it shouldn't depend on context.
There was a problem hiding this comment.
Emails might be sent by a background service without http context...
There was a problem hiding this comment.
@bdukes : If you follow the AddHttp method, it uses HttpContext. I spent some time tracing this code and thought it was a good idea to include this in the comments as it means it is not safe for background tasks.
There was a problem hiding this comment.
Globals.AddHTTP does reference HttpContent.Current, but it checks for null first, so it should be safe to use from a scheduled task.
| @@ -699,15 +699,19 @@ public string GetProperty(string propertyName, string format, CultureInfo format | |||
| var isPublic = true; | |||
| switch (lowerPropertyName) | |||
| { | |||
| case "scheme": | |||
| propertyNotFound = false; | |||
| result = SSLEnabled ? "https" : "http"; | |||
There was a problem hiding this comment.
The check in the code we're replacing is portalSettings.SSLEnabled || portalSettings.SSLEnforced. I don't know that it hurts anything for it to remain also checking SSLEnforced (probably better to err on the side of more HTTPS rather than less).
There was a problem hiding this comment.
it should check for portalSettings.SSLEnabled && portalSettings.SSLEnforced - just SSLEnabled will deliver secured pages using http, if not called using https (e.g. if moved to a different location without https being bound to the IIS website.
There was a problem hiding this comment.
My thought was indeed to err on the side of https. Rapidly more and more technologies are refusing to work with plain http (e.g. mobile apps). So if a site has so much as allowed SSL, I suggest the default return of "scheme" should be https. Rather than waiting to see if it is enforced.
There was a problem hiding this comment.
Right, so SSLEnabled || SSLEnforced could be true more often than just SSLEnabled (though I'm not sure if there's any valid scenario where SSLEnforced is true while SSLEnabled is false)
There was a problem hiding this comment.
Looking at this, and the option values, it seems that you could have SSL Enforced = true, but SSL Enabled = false. For this, I think we have to rely only on the SSLEnabled flag though, it may be a bit aggressive, but for current standards should be acceptable
|
So, there's a small chance for this to be a breaking change. If someone has a modified version of an email template which uses the old |
Yes, this is a breaking change, but should not affect too many sites. However, we should definetely mention it in release notes |
Absolutely. Which is why it goes in 9.7. Like Sebastian says, chances are slim and frankly, it is IMHO worse that those who included external fixed links using http find that the http was changed. So I am favouring those that highlighted that latter issue. |
|
Regarding the breaking change, the |
|
But it doesn't look like |
|
@bdukes Yes, I think we are fine with this one, it errs on the side of security essentially. But I'm flagging as potentially breaking so we are sure to grab it in the release notes |
| @@ -699,15 +699,19 @@ public string GetProperty(string propertyName, string format, CultureInfo format | |||
| var isPublic = true; | |||
| switch (lowerPropertyName) | |||
| { | |||
| case "scheme": | |||
| propertyNotFound = false; | |||
| result = SSLEnabled ? "https" : "http"; | |||
There was a problem hiding this comment.
Looking at this, and the option values, it seems that you could have SSL Enforced = true, but SSL Enabled = false. For this, I think we have to rely only on the SSLEnabled flag though, it may be a bit aggressive, but for current standards should be acceptable
An earlier "fix" for urls in emails added a blanket replace on each and every resource being retrieved. This is not just incorrect (as it also affects resources that should not be touched), it is also a performance hit.
This PR rolls back the fix and adds a "scheme" token to the portal settings. The [portal:scheme] token will resolve to either "https" or "http" depending on SSLEnabled for the portal. It is not used in any email in the framework currently, but if someone needs this in a template, it can be used.
Note that using the scheme token looks at the entire portal, so won't be a solution for those with mixed http/https situations. The [portal:fullurl] uses the current page's SSL setting, but obviously depends on context and so was never meant for emails.