[PATCH] Add a config option to FORCE_HTTPS_LINKS

Jeremy Kerr jk at ozlabs.org
Sun Oct 13 18:16:41 EST 2013

Hi Konstantin,

> In situations where SSL is terminated at the load-balancer, we cannot
> rely on guessing the scheme based on whether patchwork itself was
> accessed via http or https, since the last-leg is always going to be
> done over http.
> Unfortunately, wrongly using http:// URLs results in unusable
> .pwclientrc files, since xmlrpc does not handle http->https redirects
> and instead displays a traceback.
> This change introduces a FORCE_HTTPS_LINKS option, which forces
> pwclientrc links to always return "https" regardless of how the project
> itself is accessed.

Great, thanks for the contribution. I've merged your patch.

> It appears that the http/https check is currently only used for
> generating pwclientrc -- a lot of other places seem to hardcode
> "http://" and rely on the server to transparently upgrade the
> connection. This is not a secure approach (it allows for MITM and
> SSL-Strip attacks) and therefore all places currently hardcoding
> http://{{site.domain}} and similar should be switched to using the
> "sheme" variable, the same as done for generating pwclientrc files.

Yep, I'd agree. I'll add this to my TODO (unless you beat me to it!)



More information about the Patchwork mailing list