0014333: mantis bt switches to https from http - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0014333	mantisbt	other	public	2012-05-30 19:55	2014-09-23 18:05

Reporter	stainlessstill	Assigned To	dregad
Priority	urgent	Severity	block	Reproducibility	always
Status	closed	Resolution	fixed
Platform	nginx 1.1.19 + php5fastcgi	OS	debian	OS Version	6.0
Product Version	1.2.10
Target Version	1.2.11	Fixed in Version	1.2.11

Summary	0014333: mantis bt switches to https from http
Description	Mantis BT stopped working under HTTP (non-HTTPS) since 1.x nginx has added SERVER['HTTPS'] parameter to fastcgi environment by default (see /etc/nginx/fastcgi_params). Pre-1.x versions of nginx didn't have it by default and everything went fine. Now under nginx 1.x with SERVER['HTTPS'] passed to fastcgi environment Mantis BT throws every HTTP request to HTTPS. The reason for this is lame check for SERVER['HTTPS'] state everywhere in the script. For example (config_defaults_inc.php): if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { $t_protocol = 'https'; } Mantis waits SERVER['HTTPS'] to be absent or to be set to 'off' while this is a wrong approach. It doesn't take into account when it exists but empty like it should be according to the manual. http://php.net/manual/en/reserved.variables.server.php : SERVER['HTTPS'] Set to non-empty value if the script was queried thru the HTTPS. PS. with IIS the vaule will be off* if the request was non-HTTPS.* So, right in the manual it is written that it should be non-empty and not-off to indicate HTTPS. But it may exist and be empty when in HTTP state. The code above should be or kinda: if ( isset( $_SERVER['HTTPS'] ) && !empty( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { $t_protocol = 'https'; } And it has to be modified not in a single file but thru all the scripts in Mantis as this issue deals with cookies, redirects etc.
Steps To Reproduce	take nginx-full 1.1.19 from backports set up php5 fastcgi leave default settings for both set up vhost for mantis bt under nginx in non-https mode every try to reach http://mantis.example.com will throw you to https://...
Additional Information	Workaround for nginx 1.1.19 and php5-FastCGI. Edit your /etc/nginx/fastcgi_params file and comment out "fastcgi_param HTTPS" for the time being
Tags	No tags attached.

dregad 2012-05-31 05:13 developer ~0031931	If a variable is not empty, then (by definition) it is set, so it's redundant to test isset( $_SERVER['HTTPS'] ) && !empty( $_SERVER['HTTPS'] ) thus the check should be if( !empty( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { I do not have access to an nginx setup, so could you please test this and confirm ? As you mentioned, this involves changes in several MantisBT APIs. This can be taken care of. However, I also noted several occurences of $_SERVER['HTTPS'] in the nusoap library, which is used for our soap api. We avoid patching bundled libraries as much as possible, so if you are using the soap api and notice similar problems, then I suggest you report a bug upstream[1] [1] http://sourceforge.net/projects/nusoap/

dregad 2012-05-31 06:11 developer ~0031933	Please test this, which I think should fix the problem. https://github.com/dregad/mantisbt/tree/fix-14333-https-nginx Note that this may or may not be the final solution as I have bounced this off the other developers. Let me know your feedback in any case.

stainlessstill 2012-05-31 07:00 reporter ~0031935 Last edited: 2012-05-31 07:03	Test passed. I've just restored default settings and your build has worked fine where released 1.2.10 hadn't. Thank you. Currently I couldn't test your build in https environment as well as with soap. I don't use soap and hope https should function as always after your bugfix.

grangeway 2013-04-05 17:57 reporter ~0036274	Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

MantisBT: master f39ad8c9 2012-05-30 22:53 dregad Details Diff	Make test for HTTPS protocol compliant with PHP documentation Prior to this, the protocol was considered to be HTTPS when isset($_SERVER['HTTPS']) is true, while PHP doc[1] states that HTTPS is "Set to a non-empty value if the script was queried through the HTTPS protocol" so the test should be !empty($_SERVER['HTTPS']) instead. This was causing issues with nginx 1.x with php5fastcgi as $_SERVER['HTTPS'] is set but empty, thus MantisBT redirects all http requests to https. The protocol check has been moved to a new function in http_api.php which is then called wherever it is needed. Note that there are several occurences of isset($_SERVER['HTTPS']) in the nusoap library; these have not been modified. Fixes 0014333 [1] http://php.net/manual/en/reserved.variables.server.php		Affected Issues 0014333
	mod - config_defaults_inc.php		Diff File
	mod - core/gpc_api.php		Diff File
	mod - core/http_api.php		Diff File
	mod - core/user_api.php		Diff File
	mod - file_download.php		Diff File
MantisBT: master-1.2.x 0af2d629 2012-05-30 22:53 dregad Details Diff	Make test for HTTPS protocol compliant with PHP documentation Prior to this, the protocol was considered to be HTTPS when isset($_SERVER['HTTPS']) is true, while PHP doc[1] states that HTTPS is "Set to a non-empty value if the script was queried through the HTTPS protocol" so the test should be !empty($_SERVER['HTTPS']) instead. This was causing issues with nginx 1.x with php5fastcgi as $_SERVER['HTTPS'] is set but empty, thus MantisBT redirects all http requests to https. The protocol check has been moved to a new function in http_api.php which is then called wherever it is needed. Note that there are several occurences of isset($_SERVER['HTTPS']) in the nusoap library; these have not been modified. Fixes 0014333 [1] http://php.net/manual/en/reserved.variables.server.php		Affected Issues 0014333
	mod - config_defaults_inc.php		Diff File
	mod - core/gpc_api.php		Diff File
	mod - core/http_api.php		Diff File
	mod - core/user_api.php		Diff File
	mod - file_download.php		Diff File