Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong HTTPS detection (with solution) #845

Closed
agivera opened this issue Aug 18, 2013 · 7 comments
Closed

Wrong HTTPS detection (with solution) #845

agivera opened this issue Aug 18, 2013 · 7 comments

Comments

@agivera
Copy link

agivera commented Aug 18, 2013

Hi,

in files:

./public_html/admin/controller/common/header.php
./public_html/catalog/controller/common/header.php

there is detection if page is viewed through https:

if (isset($this->request->server['HTTPS']) && (($this->request->server['HTTPS'] == 'on') || ($this->request->server['HTTPS'] == '1'))) {

althought on my production environment there was no such variable HTTPS I had only HTTP_X_FORWARDED_PROTO instead (probably it was proxied or load balanced) so It should be changed to something like this:

if (
            ( isset($this->request->server['HTTPS']) && (($this->request->server['HTTPS'] == 'on') || ($this->request->server['HTTPS'] == '1')) )
            || ( isset($this->request->server['HTTP_X_FORWARDED_PROTO']) && $this->request->server['HTTP_X_FORWARDED_PROTO'] == 'https' )
        ) {

as a result page was generating wrong:

<base href="http://example.pl/" />

with http:// instead of https:// and it was causing to malfunction $.ajax requests!

Another person also had this issue: http://forum.opencart.com/viewtopic.php?f=20&t=85466

Best Regards,
kgrajek
@robinflyhigh
Copy link
Contributor

How about using protocol relative links.

https://developer.mozilla.org/en-US/docs/Security/MixedContent/fix_website_with_mixed_content

@agivera
Copy link
Author

agivera commented Aug 19, 2013

Is it question for me or OC developers? :)

Anyway: perhaps it might be but keep in mind that these values are taken currently from config.php from HTTP_SERVER and HTTPS_SERVER respectively so it will require rather to strip off protocol part in header.php and use it as a base .... seems ok for me (without testing ;)

BR,
kgrajek

@robinflyhigh
Copy link
Contributor

Good if this gets fixed in config.php

@agivera
Copy link
Author

agivera commented Aug 20, 2013

hmm - I will try and drop a note about results in next few days

@agivera
Copy link
Author

agivera commented Sep 5, 2013

Found one more place to fix with same issue:

./public_html/admin/controller/common/filemanager.php

@ADDCreative
Copy link
Contributor

Try the solution by opencarthelp in OpenCart CE..
opencart-ce/opencart-ce@f7aea63#diff-3

rb2 pushed a commit to rb2/opencart-ce that referenced this issue Nov 3, 2013
Fix for nonstandard HTTP_X_FORWARDED_PROTO header
36260c4 
Fixes https in loadbalancers.

opencart/opencart#845

http://en.wikipedia.org/wiki/List_of_HTTP_header_fields#Common_non-standard_request_headers
danielkerr added a commit that referenced this issue Nov 18, 2013
@danielkerr
renamed the cache files
17d902a 
fixed https issue

#845
@danielkerr
Copy link
Member

added a fix in start.php

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@robinflyhigh @agivera @ADDCreative @danielkerr