Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URL checking improved #4669

Closed
wants to merge 1 commit into from
Closed

URL checking improved #4669

wants to merge 1 commit into from

Conversation

jo-sf
Copy link
Contributor

@jo-sf jo-sf commented Oct 14, 2014

When adding the scheme to an URL use correct scheme (http or https) and port.
Checking for "http" or "https" via strstr() in the URL matched also these strings embedded in the URL (e.g. in /static/http/index.html), due to that checks changed to strpos().

@jo-sf
URL checking improved
2bbba20 
When adding the scheme to an URL use correct scheme (http or https) and port.
Checking for "http" or "https" via strstr() in the URL matched also these strings embedded in the URL (e.g. in /static/http/index.html), due to that checks changed to strpos().
@jo-sf
Copy link
Contributor Author

jo-sf commented Oct 14, 2014

Suppose you have a website accessible via HTTPS and/or via a non-standard port (e.g. 81). If you create an Iframe wrapper menu item pointing to a static page within your website by default the scheme "http://" and the current server name is prefixed to the given URL if it starts with "/".

You might test this with the static page "/logs/index.html". If you set up your web server such that you access all pages e.g. via port 81 only you'll get an error within your browser when loading the Iframe since it will try to load that page via port 80. Similarily when using HTTPS instead of HTTP the browser will load the Iframe via HTTP and it will probably complain about mixed content (insecure content within secure context).

Moreover I found an improper test for the schemes "http" and "https" in this context. The function strstr() returns a match for these strings even if they are embedded anywhere in the URL. I changed this test such that it now checks for "http://" or "https://" at the beginning of the URL by means of strpos().

@brianteeman brianteeman closed this Jan 1, 2015
@brianteeman
Copy link
Contributor

Thanks for working on this. Unfortunately this did not make it into the final release of Joomla 2.5, or it was handled elsewhere, so this is being closed. If you feel this is still a valid issue in Joomla 3 please create a new issue.

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/4669.

@jo-sf
Copy link
Contributor Author

jo-sf commented Jan 2, 2015

Well it is still an issue with Joomla 3 and I've already created a
separate ticket regarding this issue, please see #4670 for details.

Am 01.01.2015 um 14:01 schrieb Brian Teeman:

Thanks for working on this. Unfortunately this did not make it into the
final release of Joomla 2.5, or it was handled elsewhere, so this is
being closed. If you feel this is still a valid issue in Joomla 3 please
create a new issue.

_This comment was created with the J!Tracker Application
https://github.com/joomla/jissues at issues.joomla.org/joomla-cms/4669
http://issues.joomla.org/tracker/joomla-cms/4669.


Reply to this email directly or view it on GitHub
#4669 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jo-sf @brianteeman @jissues-bot