Fix random replacement of http with https in resources (issue #3599) #3808
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -699,15 +699,19 @@ public string GetProperty(string propertyName, string format, CultureInfo format | |
| var isPublic = true; | ||
| switch (lowerPropertyName) | ||
| { | ||
| case "scheme": | ||
| propertyNotFound = false; | ||
| result = SSLEnabled ? "https" : "http"; | ||
| break; | ||
| case "url": | ||
| propertyNotFound = false; | ||
| result = PropertyAccess.FormatString(PortalAlias.HTTPAlias, format); | ||
| break; | ||
| case "fullurl": //return portal alias with protocol - note this depends on HttpContext | ||
|
There was a problem hiding this comment. Does There was a problem hiding this comment. Emails might be sent by a background service without http context... There was a problem hiding this comment. @bdukes : If you follow the AddHttp method, it uses HttpContext. I spent some time tracing this code and thought it was a good idea to include this in the comments as it means it is not safe for background tasks. There was a problem hiding this comment.
|
||
| propertyNotFound = false; | ||
| result = PropertyAccess.FormatString(Globals.AddHTTP(PortalAlias.HTTPAlias), format); | ||
| break; | ||
| case "passwordreminderurl": //if regsiter page defined in portal settings, then get that page url, otherwise return home page. - note this depends on HttpContext | ||
| propertyNotFound = false; | ||
| var reminderUrl = Globals.AddHTTP(PortalAlias.HTTPAlias); | ||
| if (RegisterTabId > Null.NullInteger) | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The check in the code we're replacing is
portalSettings.SSLEnabled || portalSettings.SSLEnforced. I don't know that it hurts anything for it to remain also checkingSSLEnforced(probably better to err on the side of more HTTPS rather than less).There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it should check for portalSettings.SSLEnabled && portalSettings.SSLEnforced - just SSLEnabled will deliver secured pages using http, if not called using https (e.g. if moved to a different location without https being bound to the IIS website.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My thought was indeed to err on the side of https. Rapidly more and more technologies are refusing to work with plain http (e.g. mobile apps). So if a site has so much as allowed SSL, I suggest the default return of "scheme" should be https. Rather than waiting to see if it is enforced.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, so
SSLEnabled || SSLEnforcedcould betruemore often than justSSLEnabled(though I'm not sure if there's any valid scenario whereSSLEnforcedistruewhileSSLEnabledisfalse)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at this, and the option values, it seems that you could have SSL Enforced = true, but SSL Enabled = false. For this, I think we have to rely only on the
SSLEnabledflag though, it may be a bit aggressive, but for current standards should be acceptable