'[SM-CVS] SF.net SVN: squirrelmail:[13335]'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squirrelmail-cvs
Subject:    [SM-CVS] SF.net SVN: squirrelmail:[13335]
From:       pdontthink () users ! sourceforge ! net
Date:       2008-11-26 2:54:10
Message-ID: E1L5AXa-0007oy-6h () dn4whf1 ! ch3 ! sourceforge ! com
[Download RAW message or body]

Revision: 13335
          http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13335&view=rev
Author:   pdontthink
Date:     2008-11-26 02:54:09 +0000 (Wed, 26 Nov 2008)

Log Message:
-----------
Fix HTTPS detection under Windows IIS (#2318118)

Modified Paths:
--------------
    branches/SM-1_4-STABLE/squirrelmail/ChangeLog
    branches/SM-1_4-STABLE/squirrelmail/functions/global.php
    branches/SM-1_4-STABLE/squirrelmail/functions/strings.php

Modified: branches/SM-1_4-STABLE/squirrelmail/ChangeLog
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/ChangeLog	2008-11-25 11:33:00 UTC (rev 13334)
+++ branches/SM-1_4-STABLE/squirrelmail/ChangeLog	2008-11-26 02:54:09 UTC (rev 13335)
@@ -7,6 +7,9 @@
   - Allow control over white space wrapping of auto-generated
     SquirrelMail option widgets.
   - Fix matching of alternate identities when replying.
+  - Fix HTTPS detection under Windows IIS that was incorrectly
+    setting cookies to be transmitted only over a secure
+    connections when none existed (#2318118).
 
 Version 1.4.16 - 28 September 2008
 ----------------------------------

Modified: branches/SM-1_4-STABLE/squirrelmail/functions/global.php
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/functions/global.php	2008-11-25 11:33:00 UTC \
                (rev 13334)
+++ branches/SM-1_4-STABLE/squirrelmail/functions/global.php	2008-11-26 02:54:09 UTC \
(rev 13335) @@ -83,6 +83,11 @@
 require_once(SM_PATH . 'functions/strings.php');
 require_once(SM_PATH . 'config/config.php');
 
+/**
+ * Detect SSL connections
+ */
+$is_secure_connection = is_ssl_secured_connection();
+
 /** set the name of the session cookie */
 if(isset($session_name) && $session_name) {
     ini_set('session.name' , $session_name);
@@ -425,9 +430,9 @@
                      $bSecure=false, $bHttpOnly=true, $bReplace=false) {
 
     // if we have a secure connection then limit the cookies to https only.
-    if ($sName && isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']) {
+    global $is_secure_connection;
+    if ($sName && $is_secure_connection)
         $bSecure = true;
-    }
 
     // admin config can override the restriction of secure-only cookies
     //
@@ -466,3 +471,52 @@
     }
 }
 
+/**
+ * Detect whether or not we have a SSL secured (HTTPS)
+ * connection to the browser
+ *
+ * It is thought to be so if you have 'SSLOptions +StdEnvVars'
+ * in your Apache configuration,
+ *     OR if you have HTTPS set to a non-empty value (except "off")
+ *        in your HTTP_SERVER_VARS,
+ *     OR if you have HTTP_X_FORWARDED_PROTO=https in your HTTP_SERVER_VARS,
+ *     OR if you are on port 443.
+ *
+ * Note: HTTP_X_FORWARDED_PROTO could be sent from the client and
+ *       therefore possibly spoofed/hackable - for now, the
+ *       administrator can tell SM to ignore this value by setting 
+ *       $sq_ignore_http_x_forwarded_headers to boolean TRUE in
+ *       config/config_local.php, but in the future we may
+ *       want to default this to TRUE and make administrators
+ *       who use proxy systems turn it off (see 1.5.2+).
+ *
+ * Note: It is possible to run SSL on a port other than 443, and
+ *       if that is the case, the administrator should set
+ *       $sq_https_port to the applicable port number in
+ *       config/config_local.php
+ *
+ * @return boolean TRUE if the current connection is SSL-encrypted;
+ *                 FALSE otherwise.
+ *
+ * @since 1.4.17 and 1.5.2 
+ *
+ */
+function is_ssl_secured_connection()
+{ 
+    global $sq_ignore_http_x_forwarded_headers, $sq_https_port;
+    $https_env_var = getenv('HTTPS');
+    if ($sq_ignore_http_x_forwarded_headers
+     || !sqgetGlobalVar('HTTP_X_FORWARDED_PROTO', $forwarded_proto, SQ_SERVER))
+        $forwarded_proto = '';
+    if (empty($sq_https_port)) // won't work with port 0 (zero)
+       $sq_https_port = 443;
+    if ((isset($https_env_var) && strcasecmp($https_env_var, 'on') === 0)
+     || (sqgetGlobalVar('HTTPS', $https, SQ_SERVER) && !empty($https)
+      && strcasecmp($https, 'off') !== 0)
+     || (strcasecmp($forwarded_proto, 'https') === 0)
+     || (sqgetGlobalVar('SERVER_PORT', $server_port, SQ_SERVER)
+      && $server_port == $sq_https_port))
+        return TRUE;
+    return FALSE;
+}
+

Modified: branches/SM-1_4-STABLE/squirrelmail/functions/strings.php
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/functions/strings.php	2008-11-25 11:33:00 UTC \
                (rev 13334)
+++ branches/SM-1_4-STABLE/squirrelmail/functions/strings.php	2008-11-26 02:54:09 UTC \
(rev 13335) @@ -275,7 +275,8 @@
  */
 function get_location () {
 
-    global $imap_server_type, $config_location_base;
+    global $imap_server_type, $config_location_base,
+           $is_secure_connection, $sq_ignore_http_x_forwarded_headers;
 
     /* Get the path, handle virtual directories */
     if(strpos(php_self(), '?')) {
@@ -299,25 +300,13 @@
 
     /* Check if this is a HTTPS or regular HTTP request. */
     $proto = 'http://';
-
-    /*
-     * If you have 'SSLOptions +StdEnvVars' in your apache config
-     *     OR if you have HTTPS=on in your HTTP_SERVER_VARS
-     *     OR if you have HTTP_X_FORWARDED_PROTO=https in your HTTP_SERVER_VARS
-     *     OR if you are on port 443
-     */
-    $getEnvVar = getenv('HTTPS');
-    if (!sqgetGlobalVar('HTTP_X_FORWARDED_PROTO', $forwarded_proto, SQ_SERVER))
-        $forwarded_proto = '';
-    if ((isset($getEnvVar) && strcasecmp($getEnvVar, 'on') === 0) ||
-        (sqgetGlobalVar('HTTPS', $https_on, SQ_SERVER) && strcasecmp($https_on, \
                'on') === 0) ||
-        (strcasecmp($forwarded_proto, 'https') === 0) ||
-        (sqgetGlobalVar('SERVER_PORT', $server_port, SQ_SERVER) &&  $server_port == \
443)) { +    if ($is_secure_connection)
         $proto = 'https://';
-    }
 
     /* Get the hostname from the Host header or server config. */
-    if ( !sqgetGlobalVar('HTTP_X_FORWARDED_HOST', $host, SQ_SERVER) || empty($host) \
) { +    if ($sq_ignore_http_x_forwarded_headers
+     || !sqgetGlobalVar('HTTP_X_FORWARDED_HOST', $host, SQ_SERVER)
+     || empty($host)) {
         if ( !sqgetGlobalVar('HTTP_HOST', $host, SQ_SERVER) || empty($host) ) {
             if ( !sqgetGlobalVar('SERVER_NAME', $host, SQ_SERVER) || empty($host) ) \
{  $host = '';


This was sent by the SourceForge.net collaborative development platform, the world's \
largest Open Source development site.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-----
squirrelmail-cvs mailing list
List address: squirrelmail-cvs@lists.sourceforge.net
List info (subscribe/unsubscribe/change options): \
                https://lists.sourceforge.net/lists/listinfo/squirrelmail-cvs
Repository: http://squirrelmail.org/svn


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic