(Each project requires you to login separately)

core

Ticket #967 (closed Bug: fixed)

Opened 18 months ago

Last modified 10 months ago

Profile/User - Invalid URLs with SSL-Access

Reported by: gap Owned by: mateo
Priority: major Milestone: 1.2.0
Component: User Management Version: 1.1.2
Severity: Keywords: Invalid URL SSL
Cc: contact@…

Description

Hi,

if I call the website from SSL-Host, links to *Users Profiles* contain an invalid URL:

 https://zikula.technixen.net/https://zikula.technixen.net/index.php?module=Profil&func=view&uname=USER

I configured _no extra_ SSL-Host, because the Domainname stays the same:

 http://zikula.technixen.net/
 https://zikula.technixen.net/

But it doesn't func with configured SSL-Host also. (Tested this)

Change History

comment:1 follow-up: ↓ 3 Changed 18 months ago by Guite

  • Status changed from new to pending

Isn't this more a problem with configuration on server level?
What does "it doesn't func" mean?

comment:2 Changed 18 months ago by Guite

  • Milestone changed from unassigned to 1.1.2

comment:3 in reply to: ↑ 1 Changed 18 months ago by gap

  • Status changed from pending to new

Replying to Guite:

Isn't this more a problem with configuration on server level?

I don't think so, because I elsewhere have no problem,
but only here with this module.

What does "it doesn't func" mean?

It means, the created links are not correct,
if the websites URLs start with " https://"

comment:4 Changed 18 months ago by drak

Would you provide me with a test environment to replicate the problem please?

you can email me at drak at zikula...

comment:5 Changed 14 months ago by Landseer

Any information here to help us finding the problem? Does it happen with Profile/Users? only?

comment:6 follow-up: ↓ 7 Changed 14 months ago by gap

3 months ago I wrote to drak as you told me to. Got no answer from him yet.
The *testcase* is here:  https://www.technixen.net/ Any female Zikula developer may register an account and see ;)

comment:7 in reply to: ↑ 6 ; follow-up: ↓ 8 Changed 14 months ago by Landseer

Replying to gap:

3 months ago I wrote to drak as you told me to. Got no answer from him yet.
The *testcase* is here:  https://www.technixen.net/ Any female Zikula developer may register an account and see ;)

Two problems in this case:

  • the site is using an invalid certificate, issued to webserver.ispgateway.de instead of technixen.net or zikula.technixen.net
  • there is no woman in the dev team, so the bug has to remain unfixed ;-)

comment:8 in reply to: ↑ 7 Changed 14 months ago by lunarchild

Replying to Landseer:

Two problems in this case:

  • the site is using an invalid certificate, issued to webserver.ispgateway.de instead of technixen.net or zikula.technixen.net
  • there is no woman in the dev team, so the bug has to remain unfixed ;-)

I just made a local install, work's fine but on 'Who's online' block this case as described from ticket-opener happens if SSL is enabled.

non-SSL:  http://dev.lc-srv.net/zikula/Profile/view/Lunarchild
with-SSL:  https://dev.lc-srv.net/zikula/https://dev.lc-srv.net/zikula/Profile/view/Lunarchild

It correctly display's the link to user profile(s) on non-SSL, but with it doubles the hostname.

https://dev.lc-srv.net/https://dev.lc-srv.net/
https://zikula.technixen.net/https://zikula.technixen.net/

IMHO it's not because a misconfigured webserver, corrupted or invalid certificate - something like this should not cause the php-interpreter or zikula to make differend output to the client side, as this problem may is caused in the 'Users' module or where the link is prepared for output.

comment:9 Changed 14 months ago by lunarchild

Ok, I think i know why this happens after a short research.

In the file '/system/pnRender/plugins/modifier.userprofilelink.php' there is the function smarty_modifier_userprofilelink, which is preparing the links to the profile's. Interesting are line's 67 + 70 where the parts of each link get together.

        if (strpbrk($string, '/:#')=='') {
            $string = '<a' . $class . ' title="' . DataUtil::formatForDisplay(_PROFILE)
             . ': ' . $string . '" href="' . pnGetBaseURL()
             . DataUtil::formatForDisplay(pnModURL($profileModule, 'user',  'view', array('uname' => $string)))
             . '">' . $show . '</a>';
        } else {
            $uid = pnUserGetIDFromName($string);
            $string = '<a' . $class . ' title="' . DataUtil::formatForDisplay(_PROFILE)
            . ': ' . $string . '" href="' . pnGetBaseURL()
            . DataUtil::formatForDisplay(pnModURL($profileModule, 'user', 'view', array('uid' => $uid)))
            . '">' . $show . '</a>';
        }

In this constellation 2 functions may prepend the protocols - pnGetBaseURL() + pnModURL()

The first enforces it, but the second does prepend it only if there some cases as mentioned for documentation in the providing file for this function (/includes/pnMod.php), for example if ssl is on we get doubled hostname.

comment:10 Changed 14 months ago by Landseer

see also #1095 (closed as duplicate)

comment:11 Changed 14 months ago by drak

  • Version changed from 1.1.1 to 1.1.2
  • Milestone changed from 1.1.2 to 1.2.0

comment:12 Changed 12 months ago by Simon

This fragment from pnModURL is relevant:

830     // Only produce full URL when HTTPS is on or $ssl is set 
831     $siteRoot = ''; 
832     if ((isset($https) && $https == 'on') || $ssl != null || $fqurl == true) { 
833         $protocol = 'http' . (($https == 'on' && $ssl !== false) || $ssl === true ? 's' : ''); 
834         $secureDomain = pnConfigGetVar('secure_domain'); 
835         $siteRoot = $protocol . '://' . (($secureDomain != '') ? $secureDomain : ($host . $baseuri)) . '/'; 
836     }

A full URL is automatically created if HTTPS is on. We simply need to amend the above quoted lines from modifier.userprofilelink.php to remove the call to pnGetBaseURL().

comment:13 Changed 12 months ago by ph

Well, now this is interesting (or not). Currently, the Profile module must be set (in admin settings) for modifier.userprofilelink.php to 'generate' the URL. But ironically, in SVN this setting does not even exist anymore: the Profile module can not be set, thus a link is not being generated by the pnRender plugin.
Anyway, I think the problem described in this ticket is the following.
In modifier.userprofilelink.php, the link is being put together like this:
pnGetBaseURL() . DataUtil::formatForDisplay(pnModURL($profileModule, 'user', 'view', array('uname' => $string)))
Now pnModURL will generate a full URL only if ssl is enabled, else a relative URL will be returned. This makes the prepending pnGetBaseURL() useless. When stripping this, a valid link will always be generated.
But, due to the check for a Profile module, which does not exist in current SVN version, no link will be displayed at all :D

comment:14 Changed 12 months ago by Landseer

...which is correct, because if there is no Profile module (of any kind) installed a link to a profile doesn't make sense.

But it is correct that adding the pnGetBaseURL() to the url in the modifier is wrong. This should ensure a fully qualified url, but we have a special parameter in pnModURL() for this. Iirc this has been fixed in my local system, but not yet committed.

comment:15 Changed 12 months ago by drak

Frank, please commit the fix.

comment:16 Changed 10 months ago by drak

  • Owner set to mateo
  • Status changed from new to assigned

comment:17 Changed 10 months ago by mateo

  • Status changed from assigned to closed
  • Resolution set to fixed

Feedback is required to see if this is finally fixed.

What I know, is that recently I've reviewed out stuff to release 1.2 and I fixed the userprofile modifier issue, would be good to know if there's any bug like this when SSL is enabled.

Closing this... can be reopened if the issue persists.

Note: See TracTickets for help on using tickets.
 
 
Powered by Trac
Design by Arcsin