[PATCH] Add a config option to FORCE_HTTPS_LINKS
Jeremy Kerr
jk at ozlabs.org
Sun Oct 13 18:16:41 EST 2013
Hi Konstantin,
> In situations where SSL is terminated at the load-balancer, we cannot
> rely on guessing the scheme based on whether patchwork itself was
> accessed via http or https, since the last-leg is always going to be
> done over http.
>
> Unfortunately, wrongly using http:// URLs results in unusable
> .pwclientrc files, since xmlrpc does not handle http->https redirects
> and instead displays a traceback.
>
> This change introduces a FORCE_HTTPS_LINKS option, which forces
> pwclientrc links to always return "https" regardless of how the project
> itself is accessed.
Great, thanks for the contribution. I've merged your patch.
> It appears that the http/https check is currently only used for
> generating pwclientrc -- a lot of other places seem to hardcode
> "http://" and rely on the server to transparently upgrade the
> connection. This is not a secure approach (it allows for MITM and
> SSL-Strip attacks) and therefore all places currently hardcoding
> http://{{site.domain}} and similar should be switched to using the
> "sheme" variable, the same as done for generating pwclientrc files.
Yep, I'd agree. I'll add this to my TODO (unless you beat me to it!)
Cheers,
Jeremy
More information about the Patchwork
mailing list