Project

General

Profile

Actions

Bug #76326

closed

Viewpage module assumes HTTP if it cannot assert HTTPS.

Added by Raoul S over 8 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2016-05-27
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:
On Location Sprint

Description

In certain environments, e.g. when a load-balancer does not propagate https-information to the webserver, then the viewpage-module assumes it is in a http-environment rather than https. It then builds the url for the <iframe> with a http-scheme-prefix. This is a dangerous behaviour and all evergreen browsers block the iframe from loading.

The following patch changes the sys-extension in a way that it does not assume any browsing-information if they cannot be determined safely. This means, the iframe will have a protocol-independent prefix "//" instead of "http://".

$ git diff typo3_src-7.6.9/typo3/sysext/viewpage/Classes/Controller/ViewModuleController.php
> diff --git a/typo3_src-7.6.9/typo3/sysext/viewpage/Classes/Controller/ViewModuleController.php b/typo3_src-7.6.9/typo3/sysext/viewpage/Classes/Controller/ViewModuleController.php
index 8c27d91..848a4a2 100644
--- a/typo3_src-7.6.9/typo3/sysext/viewpage/Classes/Controller/ViewModuleController.php
+++ b/typo3_src-7.6.9/typo3/sysext/viewpage/Classes/Controller/ViewModuleController.php
@@ -143,12 +143,13 @@ class ViewModuleController extends ActionController
                 if (strpos($domainName, '://') !== false) {
                     $protocolAndHost = $domainName;
                 } else {
-                    $protocol = 'http';
                     $page = (array)$sysPage->getPage($finalPageIdToShow);
                     if ($page['url_scheme'] == 2 || $page['url_scheme'] == 0 && GeneralUtility::getIndpEnv('TYPO3_SSL')) {
                         $protocol = 'https';
+                        $protocolAndHost = $protocol . '://' . $domainName;
+                    } else {
+                        $protocolAndHost = '//' . $domainName;
                     }
-                    $protocolAndHost = $protocol . '://' . $domainName;
                 }
             }
             return $protocolAndHost . '/index.php?id=' . $finalPageIdToShow . $this->getTypeParameterIfSet($finalPageIdToShow) . $mountPointMpParameter . $adminCommand . $languageParameter;

Actions #1

Updated by Raoul S over 8 years ago

  • Project changed from 2940 to TYPO3 Core
Actions #2

Updated by Susanne Moog about 6 years ago

  • TYPO3 Version set to 7
  • Sprint Focus set to On Location Sprint
Actions #3

Updated by Benni Mack about 6 years ago

  • Status changed from New to Closed

Hi Raoul,

we fixed this in v9 (couldn't make this possible in older versions otherwise it would've been a bigger impact with possible regressions). Hope that's ok for you.

Thanks for your report, and if you have another solution to have it fixed in v7 or v8, let me know.

All the best,
Benni.

Actions

Also available in: Atom PDF