MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0014333mantisbtotherpublic2012-05-30 19:552014-09-23 18:05
Reporterstainlessstill 
Assigned Todregad 
PriorityurgentSeverityblockReproducibilityalways
StatusclosedResolutionfixed 
Platformnginx 1.1.19 + php5fastcgiOSdebianOS Version6.0
Product Version1.2.10 
Target Version1.2.11Fixed in Version1.2.11 
Summary0014333: mantis bt switches to https from http
DescriptionMantis BT stopped working under HTTP (non-HTTPS) since 1.x nginx has added SERVER['HTTPS'] parameter to fastcgi environment by default (see /etc/nginx/fastcgi_params). Pre-1.x versions of nginx didn't have it by default and everything went fine.

Now under nginx 1.x with SERVER['HTTPS'] passed to fastcgi environment Mantis BT throws every HTTP request to HTTPS. The reason for this is lame check for SERVER['HTTPS'] state everywhere in the script. For example (config_defaults_inc.php):
if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
    $t_protocol = 'https';
}

Mantis waits SERVER['HTTPS'] to be absent or to be set to 'off' while this is a wrong approach. It doesn't take into account when it exists but empty like it should be according to the manual.

http://php.net/manual/en/reserved.variables.server.php [^] :
SERVER['HTTPS'] Set to non-empty value if the script was queried thru the HTTPS. PS. with IIS the vaule will be off if the request was non-HTTPS.

So, right in the manual it is written that it should be non-empty and not-off to indicate HTTPS. But it may exist and be empty when in HTTP state.

The code above should be or kinda:
if ( isset( $_SERVER['HTTPS'] ) && !empty( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] 
) != 'off' ) ) {
    $t_protocol = 'https';
}


And it has to be modified not in a single file but thru all the scripts in Mantis as this issue deals with cookies, redirects etc.
Steps To Reproduce1. take nginx-full 1.1.19 from backports
2. set up php5 fastcgi
3. leave default settings for both
4. set up vhost for mantis bt under nginx in non-https mode
5. every try to reach http://mantis.example.com [^] will throw you to https://... [^]
Additional InformationWorkaround for nginx 1.1.19 and php5-FastCGI.

Edit your /etc/nginx/fastcgi_params file and comment out "fastcgi_param HTTPS" for the time being
TagsNo tags attached.
Attached Files

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 

-  Notes
User avatar (0031931)
dregad (developer)
2012-05-31 05:13

If a variable is not empty, then (by definition) it is set, so it's redundant to test

isset( $_SERVER['HTTPS'] ) && !empty( $_SERVER['HTTPS'] )


thus the check should be
 
if( !empty( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {


I do not have access to an nginx setup, so could you please test this and confirm ?

As you mentioned, this involves changes in several MantisBT APIs. This can be taken care of.

However, I also noted several occurences of
$_SERVER['HTTPS']
in the nusoap library, which is used for our soap api. We avoid patching bundled libraries as much as possible, so if you are using the soap api and notice similar problems, then I suggest you report a bug upstream[1]

[1] http://sourceforge.net/projects/nusoap/ [^]
User avatar (0031933)
dregad (developer)
2012-05-31 06:11

Please test this, which I think should fix the problem.

https://github.com/dregad/mantisbt/tree/fix-14333-https-nginx [^]

Note that this may or may not be the final solution as I have bounced this off the other developers. Let me know your feedback in any case.
User avatar (0031935)
stainlessstill (reporter)
2012-05-31 07:00
edited on: 2012-05-31 07:03

Test passed. I've just restored default settings and your build has worked fine where released 1.2.10 hadn't.
Thank you.

Currently I couldn't test your build in https environment as well as with soap. I don't use soap and hope https should function as always after your bugfix.

User avatar (0036274)
grangeway (reporter)
2013-04-05 17:57

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

- Related Changesets
MantisBT: master f39ad8c9
Timestamp: 2012-05-31 02:53:03
Author: dregad
Details ] Diff ]
Make test for HTTPS protocol compliant with PHP documentation

Prior to this, the protocol was considered to be HTTPS when
isset($_SERVER['HTTPS']) is true, while PHP doc[1] states that HTTPS is
"Set to a non-empty value if the script was queried through the HTTPS
protocol" so the test should be !empty($_SERVER['HTTPS']) instead.

This was causing issues with nginx 1.x with php5fastcgi as
$_SERVER['HTTPS'] is set but empty, thus MantisBT redirects all http
requests to https.

The protocol check has been moved to a new function in http_api.php
which is then called wherever it is needed.

Note that there are several occurences of isset($_SERVER['HTTPS']) in
the nusoap library; these have not been modified.

Fixes 0014333

[1] http://php.net/manual/en/reserved.variables.server.php [^]
mod - config_defaults_inc.php Diff ] File ]
mod - core/gpc_api.php Diff ] File ]
mod - core/http_api.php Diff ] File ]
mod - core/user_api.php Diff ] File ]
mod - file_download.php Diff ] File ]
MantisBT: master-1.2.x 0af2d629
Timestamp: 2012-05-31 02:53:03
Author: dregad
Details ] Diff ]
Make test for HTTPS protocol compliant with PHP documentation

Prior to this, the protocol was considered to be HTTPS when
isset($_SERVER['HTTPS']) is true, while PHP doc[1] states that HTTPS is
"Set to a non-empty value if the script was queried through the HTTPS
protocol" so the test should be !empty($_SERVER['HTTPS']) instead.

This was causing issues with nginx 1.x with php5fastcgi as
$_SERVER['HTTPS'] is set but empty, thus MantisBT redirects all http
requests to https.

The protocol check has been moved to a new function in http_api.php
which is then called wherever it is needed.

Note that there are several occurences of isset($_SERVER['HTTPS']) in
the nusoap library; these have not been modified.

Fixes 0014333

[1] http://php.net/manual/en/reserved.variables.server.php [^]
mod - config_defaults_inc.php Diff ] File ]
mod - core/gpc_api.php Diff ] File ]
mod - core/http_api.php Diff ] File ]
mod - core/user_api.php Diff ] File ]
mod - file_download.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2012-05-30 19:55 stainlessstill New Issue
2012-05-31 05:13 dregad Note Added: 0031931
2012-05-31 05:13 dregad Status new => acknowledged
2012-05-31 06:11 dregad Note Added: 0031933
2012-05-31 06:11 dregad Assigned To => dregad
2012-05-31 06:11 dregad Status acknowledged => assigned
2012-05-31 07:00 stainlessstill Note Added: 0031935
2012-05-31 07:02 stainlessstill Note Edited: 0031935 View Revisions
2012-05-31 07:03 stainlessstill Note Edited: 0031935 View Revisions
2012-06-06 19:31 dregad Target Version => 1.2.11
2012-06-06 19:31 dregad Status assigned => resolved
2012-06-06 19:31 dregad Fixed in Version => 1.2.11
2012-06-06 19:31 dregad Resolution open => fixed
2012-06-06 20:00 dregad Changeset attached => MantisBT master f39ad8c9
2012-06-06 20:00 dregad Changeset attached => MantisBT master-1.2.x 0af2d629
2012-06-06 23:53 jreese Status resolved => closed
2013-04-05 17:57 grangeway Status closed => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036274
2013-04-05 18:32 grangeway Relationship added related to 0015721
2013-04-06 03:40 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1060 seconds.
memory usage: 3,078 KB
Powered by Mantis Bugtracker