08682: Force SSL fails when HTTPS not directly handled by web server

This bug affects 1 person(s).

252

ID	Project	Category	View Status	Date Submitted	Last Update

08682	Bug reports	Security	public	2014-02-07 15:09	2014-02-12 21:20

Reporter	leexxx	Assigned To	c_schmitz
Priority	normal	Severity	minor
Status	closed	Resolution	fixed
Product Version	2.05+

Summary	08682: Force SSL fails when HTTPS not directly handled by web server
Description	I have a setup where https is handled by a different process than the webserver, and http connections are proxied to the webserver on port 80 (with an X-Forwarded-Proto header) . When I check the test link for the https link it works, but setting Force HTTPS results in the site breaking due to redirection loops. Checking the source - the code assumes the webserver (apache) is doing SSL itself. If I alter the code to also check for "X-Forwarded-Proto: https" then everything works.
Steps To Reproduce	1) set Force HTTPS to on in global settings 2) all requests to lime survey get a redirect loop
Additional Information	--- limesurvey/application/helpers/common_helper.php.dist 2014-02-04 12:22:51.000000000 +0000 +++ limesurvey/application/helpers/common_helper.php 2014-02-07 14:05:21.000000000 +0000 @@ -5850,5 +5850,7 @@ function enforceSSLMode() { $bSSLActive = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != "off"); $bSSLActive = ((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != "off")\|\| $_SERVER['HTTP_FORWARDED_PROTO']=="https"\|\| $_SERVER['HTTP_X_FORWARDED_PROTO']=="https"); if (Yii::app()->getConfig('ssl_emergency_override') !== true ) {
Tags	No tags attached.

Bug heat	252
Complete LimeSurvey version number (& build)	Version 2.05+ Build 140204
I will donate to the project if issue is resolved	No
Browser
Database type & version	mysql
Server OS (if known)	debian
Webserver software & version (if known)	apache 2
PHP Version	5.4

User List	There are no users monitoring this issue.

c_schmitz 2014-02-07 15:26 administrator ~28555	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13858

c_schmitz 2014-02-07 15:32 administrator ~28556	Thank you!

c_schmitz 2014-02-12 21:20 administrator ~28683	2.05+ Build 140212 released

Date Modified	Username	Field	Change
2014-02-07 15:09	leexxx	New Issue
2014-02-07 15:25	c_schmitz	Assigned To	=> c_schmitz
2014-02-07 15:25	c_schmitz	Status	new => assigned
2014-02-07 15:26	c_schmitz	Changeset attached	=> LimeSurvey master 0b4b2e8c
2014-02-07 15:26	c_schmitz	Note Added: 28555
2014-02-07 15:26	c_schmitz	Resolution	open => fixed
2014-02-07 15:32	c_schmitz	Note Added: 28556
2014-02-07 15:32	c_schmitz	Status	assigned => resolved
2014-02-12 21:20	c_schmitz	Note Added: 28683
2014-02-12 21:20	c_schmitz	Status	resolved => closed

LimeSurvey: master 0b4b2e8c 2014-02-07 15:26 c_schmitz Details Diff	Fixed issue 08682: Force SSL fails when HTTPS not directly handled by web server - patch by leexxx		Affected Issues 08682
	mod - application/helpers/common_helper.php		Diff File

View Issue Details

Users monitoring this issue

Activities

Related Changesets

Issue History