View Issue Details

IDProjectCategoryView StatusLast Update
0014333mantisbtotherpublic2014-09-23 18:05
Reporterstainlessstill 
Assigned Todregad 
PriorityurgentSeverityblockReproducibilityalways
Status closedResolutionfixed 
Platformnginx 1.1.19 + php5fastcgiOSdebianOS Version6.0
Product Version1.2.10 
Target Version1.2.11Fixed in Version1.2.11 
Summary0014333: mantis bt switches to https from http
Description

Mantis BT stopped working under HTTP (non-HTTPS) since 1.x nginx has added SERVER[HTTPS] parameter to fastcgi environment by default (see /etc/nginx/fastcgi_params). Pre-1.x versions of nginx didnt have it by default and everything went fine.

Now under nginx 1.x with SERVER[HTTPS] passed to fastcgi environment Mantis BT throws every HTTP request to HTTPS. The reason for this is lame check for SERVER[HTTPS] state everywhere in the script. For example (config_defaults_inc.php):

if ( isset( $_SERVER[HTTPS] ) && ( strtolower( $_SERVER[HTTPS] ) != off ) ) {
    $t_protocol = https;
}

Mantis waits SERVER[HTTPS] to be absent or to be set to off while this is a wrong approach. It doesnt take into account when it exists but empty like it should be according to the manual.

http://php.net/manual/en/reserved.variables.server.php :
SERVER[HTTPS] Set to non-empty value if the script was queried thru the HTTPS. PS. with IIS the vaule will be off if the request was non-HTTPS.

So, right in the manual it is written that it should be non-empty and not-off to indicate HTTPS. But it may exist and be empty when in HTTP state.

The code above should be or kinda:

if ( isset( $_SERVER[HTTPS] ) && !empty( $_SERVER[HTTPS] ) && ( strtolower( $_SERVER[HTTPS] ) != off ) ) {
    $t_protocol = https;
}

And it has to be modified not in a single file but thru all the scripts in Mantis as this issue deals with cookies, redirects etc.

Steps To Reproduce
  1. take nginx-full 1.1.19 from backports
  2. set up php5 fastcgi
  3. leave default settings for both
  4. set up vhost for mantis bt under nginx in non-https mode
  5. every try to reach http://mantis.example.com will throw you to https://...
Additional Information

Workaround for nginx 1.1.19 and php5-FastCGI.

Edit your /etc/nginx/fastcgi_params file and comment out fastcgi_param HTTPS for the time being

TagsNo tags attached.

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

dregad

dregad

2012-05-31 05:13

developer   ~0031931

If a variable is not empty, then (by definition) it is set, so its redundant to test

isset( $_SERVER[HTTPS] ) && !empty( $_SERVER[HTTPS] )

thus the check should be

if( !empty( $_SERVER[HTTPS] ) && ( strtolower( $_SERVER[HTTPS] ) != off ) ) {

I do not have access to an nginx setup, so could you please test this and confirm ?

As you mentioned, this involves changes in several MantisBT APIs. This can be taken care of.

However, I also noted several occurences of

$_SERVER[HTTPS]
in the nusoap library, which is used for our soap api. We avoid patching bundled libraries as much as possible, so if you are using the soap api and notice similar problems, then I suggest you report a bug upstream[1]

[1] http://sourceforge.net/projects/nusoap/

dregad

dregad

2012-05-31 06:11

developer   ~0031933

Please test this, which I think should fix the problem.

https://github.com/dregad/mantisbt/tree/fix-14333-https-nginx

Note that this may or may not be the final solution as I have bounced this off the other developers. Let me know your feedback in any case.

stainlessstill

stainlessstill

2012-05-31 07:00

reporter   ~0031935

Last edited: 2012-05-31 07:03

View 3 revisions

Test passed. Ive just restored default settings and your build has worked fine where released 1.2.10 hadnt.
Thank you.

Currently I couldnt test your build in https environment as well as with soap. I dont use soap and hope https should function as always after your bugfix.

grangeway

grangeway

2013-04-05 17:57

reporter   ~0036274

Marking as acknowledged not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master f39ad8c9

2012-05-31 02:53:03

dregad

Details Diff
Make test for HTTPS protocol compliant with PHP documentation

Prior to this, the protocol was considered to be HTTPS when
isset($_SERVER['HTTPS']) is true, while PHP doc[1] states that HTTPS is
"Set to a non-empty value if the script was queried through the HTTPS
protocol" so the test should be !empty($_SERVER['HTTPS']) instead.

This was causing issues with nginx 1.x with php5fastcgi as
$_SERVER['HTTPS'] is set but empty, thus MantisBT redirects all http
requests to https.

The protocol check has been moved to a new function in http_api.php
which is then called wherever it is needed.

Note that there are several occurences of isset($_SERVER['HTTPS']) in
the nusoap library; these have not been modified.

Fixes 0014333

[1] http://php.net/manual/en/reserved.variables.server.php
mod - config_defaults_inc.php Diff File
mod - core/gpc_api.php Diff File
mod - core/http_api.php Diff File
mod - core/user_api.php Diff File
mod - file_download.php Diff File

MantisBT: master-1.2.x 0af2d629

2012-05-31 02:53:03

dregad

Details Diff
Make test for HTTPS protocol compliant with PHP documentation

Prior to this, the protocol was considered to be HTTPS when
isset($_SERVER['HTTPS']) is true, while PHP doc[1] states that HTTPS is
"Set to a non-empty value if the script was queried through the HTTPS
protocol" so the test should be !empty($_SERVER['HTTPS']) instead.

This was causing issues with nginx 1.x with php5fastcgi as
$_SERVER['HTTPS'] is set but empty, thus MantisBT redirects all http
requests to https.

The protocol check has been moved to a new function in http_api.php
which is then called wherever it is needed.

Note that there are several occurences of isset($_SERVER['HTTPS']) in
the nusoap library; these have not been modified.

Fixes 0014333

[1] http://php.net/manual/en/reserved.variables.server.php
mod - config_defaults_inc.php Diff File
mod - core/gpc_api.php Diff File
mod - core/http_api.php Diff File
mod - core/user_api.php Diff File
mod - file_download.php Diff File

Issue History

Date Modified Username Field Change
2012-05-30 19:55 stainlessstill New Issue
2012-05-31 05:13 dregad Note Added: 0031931
2012-05-31 05:13 dregad Status new => acknowledged
2012-05-31 06:11 dregad Note Added: 0031933
2012-05-31 06:11 dregad Assigned To => dregad
2012-05-31 06:11 dregad Status acknowledged => assigned
2012-05-31 07:00 stainlessstill Note Added: 0031935
2012-05-31 07:02 stainlessstill Note Edited: 0031935 View Revisions
2012-05-31 07:03 stainlessstill Note Edited: 0031935 View Revisions
2012-06-06 19:31 dregad Target Version => 1.2.11
2012-06-06 19:31 dregad Status assigned => resolved
2012-06-06 19:31 dregad Fixed in Version => 1.2.11
2012-06-06 19:31 dregad Resolution open => fixed
2012-06-06 20:00 dregad Changeset attached => MantisBT master f39ad8c9
2012-06-06 20:00 dregad Changeset attached => MantisBT master-1.2.x 0af2d629
2012-06-06 23:53 jreese Status resolved => closed
2013-04-05 17:57 grangeway Status closed => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036274
2013-04-05 18:32 grangeway Relationship added related to 0015721
2013-04-06 03:40 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check