Project

General

Profile

Actions
Copy link

Bug #76326

closed

Viewpage module assumes HTTP if it cannot assert HTTPS.

Added by Raoul S almost 8 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2016-05-27
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:
On Location Sprint

Description

In certain environments, e.g. when a load-balancer does not propagate https-information to the webserver, then the viewpage-module assumes it is in a http-environment rather than https. It then builds the url for the <iframe> with a http-scheme-prefix. This is a dangerous behaviour and all evergreen browsers block the iframe from loading.

The following patch changes the sys-extension in a way that it does not assume any browsing-information if they cannot be determined safely. This means, the iframe will have a protocol-independent prefix "//" instead of "http://".

$ git diff typo3_src-7.6.9/typo3/sysext/viewpage/Classes/Controller/ViewModuleController.php
> diff --git a/typo3_src-7.6.9/typo3/sysext/viewpage/Classes/Controller/ViewModuleController.php b/typo3_src-7.6.9/typo3/sysext/viewpage/Classes/Controller/ViewModuleController.php
index 8c27d91..848a4a2 100644
--- a/typo3_src-7.6.9/typo3/sysext/viewpage/Classes/Controller/ViewModuleController.php
+++ b/typo3_src-7.6.9/typo3/sysext/viewpage/Classes/Controller/ViewModuleController.php
@@ -143,12 +143,13 @@ class ViewModuleController extends ActionController
                 if (strpos($domainName, '://') !== false) {
                     $protocolAndHost = $domainName;
                 } else {
-                    $protocol = 'http';
                     $page = (array)$sysPage->getPage($finalPageIdToShow);
                     if ($page['url_scheme'] == 2 || $page['url_scheme'] == 0 && GeneralUtility::getIndpEnv('TYPO3_SSL')) {
                         $protocol = 'https';
+                        $protocolAndHost = $protocol . '://' . $domainName;
+                    } else {
+                        $protocolAndHost = '//' . $domainName;
                     }
-                    $protocolAndHost = $protocol . '://' . $domainName;
                 }
             }
             return $protocolAndHost . '/index.php?id=' . $finalPageIdToShow . $this->getTypeParameterIfSet($finalPageIdToShow) . $mountPointMpParameter . $adminCommand . $languageParameter;
Actions
Copy link

Also available in: Atom PDF