Use the correct protocol for S3 attachment URLs based on the request security level #528
Conversation
…security level Problem: the generated URL for S3 attachments always uses the HTTP protocol. In the context of secure requests (made over HTTPS), the generated URL should use the HTTPS protocol instead. Solution: Chosing the URL protocol during persistence of the attachment is not ideal because the attachment may be used in secured and unsecured contexts later. The correct protocol should be determined during the URL generation. This patch replaces the HTTP protocol and removes the port (:80) from the generated URL whenever the request is secure.
|
Hi Henrique, instead of fixing the String wouldn't it make sense to get the correct URL in the first place? What about replacing the line 142 with:
That should respect the secure setting. Does that work? |
|
Hi Johann, Thanks for your feedback. The original code with the Now I see I wasn't clear about the fact that this patch fixes the problem when the attachment is not proxied. In this case, replacing the What do you think? |
|
If I got it right you need to fix the URL if the delivery is done directly by S3 instead of WO proxying the request. In that case if you access WO via HTTPS the URL for S3 should be HTTPS too but isn't because of the HTTP constant in So it would be better to put the if clause in line 155 in an |
|
Done. |
Use the correct protocol for S3 attachment URLs based on the request security level
Problem: the generated URL for S3 attachments always uses the HTTP protocol. In the context of secure requests (made over HTTPS), the generated URL should use the HTTPS protocol instead.
Solution: Chosing the URL protocol during persistence of the attachment is not ideal because the attachment may be used in secured and unsecured contexts later. The correct protocol should be determined during the URL generation. This patch replaces the HTTP protocol and removes the port (:80) from the generated URL whenever the request is secure.