View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0014333 | mantisbt | other | public | 2012-05-30 19:55 | 2014-09-23 18:05 |
Reporter | stainlessstill | Assigned To | dregad | ||
Priority | urgent | Severity | block | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | nginx 1.1.19 + php5fastcgi | OS | debian | OS Version | 6.0 |
Product Version | 1.2.10 | ||||
Target Version | 1.2.11 | Fixed in Version | 1.2.11 | ||
Summary | 0014333: mantis bt switches to https from http | ||||
Description | Mantis BT stopped working under HTTP (non-HTTPS) since 1.x nginx has added SERVER['HTTPS'] parameter to fastcgi environment by default (see /etc/nginx/fastcgi_params). Pre-1.x versions of nginx didn't have it by default and everything went fine. Now under nginx 1.x with SERVER['HTTPS'] passed to fastcgi environment Mantis BT throws every HTTP request to HTTPS. The reason for this is lame check for SERVER['HTTPS'] state everywhere in the script. For example (config_defaults_inc.php):
Mantis waits SERVER['HTTPS'] to be absent or to be set to 'off' while this is a wrong approach. It doesn't take into account when it exists but empty like it should be according to the manual. http://php.net/manual/en/reserved.variables.server.php : So, right in the manual it is written that it should be non-empty and not-off to indicate HTTPS. But it may exist and be empty when in HTTP state. The code above should be or kinda:
And it has to be modified not in a single file but thru all the scripts in Mantis as this issue deals with cookies, redirects etc. | ||||
Steps To Reproduce |
| ||||
Additional Information | Workaround for nginx 1.1.19 and php5-FastCGI. Edit your /etc/nginx/fastcgi_params file and comment out "fastcgi_param HTTPS" for the time being | ||||
Tags | No tags attached. | ||||
If a variable is not empty, then (by definition) it is set, so it's redundant to test isset( $_SERVER['HTTPS'] ) && !empty( $_SERVER['HTTPS'] ) thus the check should be if( !empty( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { I do not have access to an nginx setup, so could you please test this and confirm ? As you mentioned, this involves changes in several MantisBT APIs. This can be taken care of. However, I also noted several occurences of $_SERVER['HTTPS']in the nusoap library, which is used for our soap api. We avoid patching bundled libraries as much as possible, so if you are using the soap api and notice similar problems, then I suggest you report a bug upstream[1] |
|
Please test this, which I think should fix the problem. https://github.com/dregad/mantisbt/tree/fix-14333-https-nginx Note that this may or may not be the final solution as I have bounced this off the other developers. Let me know your feedback in any case. |
|
Test passed. I've just restored default settings and your build has worked fine where released 1.2.10 hadn't. Currently I couldn't test your build in https environment as well as with soap. I don't use soap and hope https should function as always after your bugfix. |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master f39ad8c9 2012-05-30 22:53 Details Diff |
Make test for HTTPS protocol compliant with PHP documentation Prior to this, the protocol was considered to be HTTPS when isset($_SERVER['HTTPS']) is true, while PHP doc[1] states that HTTPS is "Set to a non-empty value if the script was queried through the HTTPS protocol" so the test should be !empty($_SERVER['HTTPS']) instead. This was causing issues with nginx 1.x with php5fastcgi as $_SERVER['HTTPS'] is set but empty, thus MantisBT redirects all http requests to https. The protocol check has been moved to a new function in http_api.php which is then called wherever it is needed. Note that there are several occurences of isset($_SERVER['HTTPS']) in the nusoap library; these have not been modified. Fixes 0014333 [1] http://php.net/manual/en/reserved.variables.server.php |
Affected Issues 0014333 |
|
mod - config_defaults_inc.php | Diff File | ||
mod - core/gpc_api.php | Diff File | ||
mod - core/http_api.php | Diff File | ||
mod - core/user_api.php | Diff File | ||
mod - file_download.php | Diff File | ||
MantisBT: master-1.2.x 0af2d629 2012-05-30 22:53 Details Diff |
Make test for HTTPS protocol compliant with PHP documentation Prior to this, the protocol was considered to be HTTPS when isset($_SERVER['HTTPS']) is true, while PHP doc[1] states that HTTPS is "Set to a non-empty value if the script was queried through the HTTPS protocol" so the test should be !empty($_SERVER['HTTPS']) instead. This was causing issues with nginx 1.x with php5fastcgi as $_SERVER['HTTPS'] is set but empty, thus MantisBT redirects all http requests to https. The protocol check has been moved to a new function in http_api.php which is then called wherever it is needed. Note that there are several occurences of isset($_SERVER['HTTPS']) in the nusoap library; these have not been modified. Fixes 0014333 [1] http://php.net/manual/en/reserved.variables.server.php |
Affected Issues 0014333 |
|
mod - config_defaults_inc.php | Diff File | ||
mod - core/gpc_api.php | Diff File | ||
mod - core/http_api.php | Diff File | ||
mod - core/user_api.php | Diff File | ||
mod - file_download.php | Diff File |