-
Notifications
You must be signed in to change notification settings - Fork 745
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix random replacement of http with https in resources (issue #3599) #3808
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -699,15 +699,19 @@ public string GetProperty(string propertyName, string format, CultureInfo format | |
var isPublic = true; | ||
switch (lowerPropertyName) | ||
{ | ||
case "scheme": | ||
propertyNotFound = false; | ||
result = SSLEnabled ? "https" : "http"; | ||
break; | ||
case "url": | ||
propertyNotFound = false; | ||
result = PropertyAccess.FormatString(PortalAlias.HTTPAlias, format); | ||
break; | ||
case "fullurl": //return portal alias with protocol | ||
case "fullurl": //return portal alias with protocol - note this depends on HttpContext | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Does There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Emails might be sent by a background service without http context... There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @bdukes : If you follow the AddHttp method, it uses HttpContext. I spent some time tracing this code and thought it was a good idea to include this in the comments as it means it is not safe for background tasks. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
propertyNotFound = false; | ||
result = PropertyAccess.FormatString(Globals.AddHTTP(PortalAlias.HTTPAlias), format); | ||
break; | ||
case "passwordreminderurl": //if regsiter page defined in portal settings, then get that page url, otherwise return home page. | ||
case "passwordreminderurl": //if regsiter page defined in portal settings, then get that page url, otherwise return home page. - note this depends on HttpContext | ||
propertyNotFound = false; | ||
var reminderUrl = Globals.AddHTTP(PortalAlias.HTTPAlias); | ||
if (RegisterTabId > Null.NullInteger) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The check in the code we're replacing is
portalSettings.SSLEnabled || portalSettings.SSLEnforced
. I don't know that it hurts anything for it to remain also checkingSSLEnforced
(probably better to err on the side of more HTTPS rather than less).There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it should check for portalSettings.SSLEnabled && portalSettings.SSLEnforced - just SSLEnabled will deliver secured pages using http, if not called using https (e.g. if moved to a different location without https being bound to the IIS website.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My thought was indeed to err on the side of https. Rapidly more and more technologies are refusing to work with plain http (e.g. mobile apps). So if a site has so much as allowed SSL, I suggest the default return of "scheme" should be https. Rather than waiting to see if it is enforced.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, so
SSLEnabled || SSLEnforced
could betrue
more often than justSSLEnabled
(though I'm not sure if there's any valid scenario whereSSLEnforced
istrue
whileSSLEnabled
isfalse
)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at this, and the option values, it seems that you could have SSL Enforced = true, but SSL Enabled = false. For this, I think we have to rely only on the
SSLEnabled
flag though, it may be a bit aggressive, but for current standards should be acceptable