Bug #76326: Viewpage module assumes HTTP if it cannot assert HTTPS. - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #76326

closed

Viewpage module assumes HTTP if it cannot assert HTTPS.

Added by Raoul S over 8 years ago. Updated about 6 years ago.

Status:

Closed

Priority:

Must have

Assignee:

Category:

Target version:

Start date:

2016-05-27

Due date:

% Done:

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Is Regression:

Sprint Focus:

On Location Sprint

Description

In certain environments, e.g. when a load-balancer does not propagate https-information to the webserver, then the viewpage-module assumes it is in a http-environment rather than https. It then builds the url for the <iframe> with a http-scheme-prefix. This is a dangerous behaviour and all evergreen browsers block the iframe from loading.

The following patch changes the sys-extension in a way that it does not assume any browsing-information if they cannot be determined safely. This means, the iframe will have a protocol-independent prefix "//" instead of "http://".

$ git diff typo3_src-7.6.9/typo3/sysext/viewpage/Classes/Controller/ViewModuleController.php
> diff --git a/typo3_src-7.6.9/typo3/sysext/viewpage/Classes/Controller/ViewModuleController.php b/typo3_src-7.6.9/typo3/sysext/viewpage/Classes/Controller/ViewModuleController.php
index 8c27d91..848a4a2 100644
--- a/typo3_src-7.6.9/typo3/sysext/viewpage/Classes/Controller/ViewModuleController.php
+++ b/typo3_src-7.6.9/typo3/sysext/viewpage/Classes/Controller/ViewModuleController.php
@@ -143,12 +143,13 @@ class ViewModuleController extends ActionController
                 if (strpos($domainName, '://') !== false) {
                     $protocolAndHost = $domainName;
                 } else {
-                    $protocol = 'http';
                     $page = (array)$sysPage->getPage($finalPageIdToShow);
                     if ($page['url_scheme'] == 2 || $page['url_scheme'] == 0 && GeneralUtility::getIndpEnv('TYPO3_SSL')) {
                         $protocol = 'https';
+                        $protocolAndHost = $protocol . '://' . $domainName;
+                    } else {
+                        $protocolAndHost = '//' . $domainName;
                     }
-                    $protocolAndHost = $protocol . '://' . $domainName;
                 }
             }
             return $protocolAndHost . '/index.php?id=' . $finalPageIdToShow . $this->getTypeParameterIfSet($finalPageIdToShow) . $mountPointMpParameter . $adminCommand . $languageParameter;

Actions

Copy link

Updated by Raoul S over 8 years ago

Project changed from 2940 to TYPO3 Core

Actions

Copy link

Updated by Susanne Moog about 6 years ago

TYPO3 Version set to 7
Sprint Focus set to On Location Sprint

Actions

Copy link

Updated by Benni Mack about 6 years ago

Status changed from New to Closed

Hi Raoul,

we fixed this in v9 (couldn't make this possible in older versions otherwise it would've been a bigger impact with possible regressions). Hope that's ok for you.

Thanks for your report, and if you have another solution to have it fixed in v7 or v8, let me know.

All the best,
Benni.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Watchers (2)

Bug #76326

Viewpage module assumes HTTP if it cannot assert HTTPS.

Updated by Raoul S over 8 years ago

Updated by Susanne Moog about 6 years ago

Updated by Benni Mack about 6 years ago