[Pmwiki-users] Easily Hackable?
Patrick R. Michaud
pmichaud
Mon Apr 12 14:55:00 CDT 2004
On Mon, Apr 12, 2004 at 01:42:22PM -0700, H. Fox wrote:
>
> Patrick R. Michaud wrote:
> > # Force to SSL mode
> > $ScriptUrl = str_replace('http:','https:',$ScriptUrl,1);
> > $PubDirUrl = str_replace('http:','https:',$PubDirUrl,1);
> > if (!@$_SERVER['HTTPS']) { header("Location: $ScriptUrl"); exit(); }
>
> That does look better. How about using
>
> if (!@$_SERVER['HTTPS']) { header("Location: $ScriptUrl.'/'.$pagename");
> exit(); }
>
> for the last line? I added ".'/'.$pagename" because otherwise if the
> HTTP URL referred to a WikiPage the redirect went to the default
> HomePage rather than the WikiPage-over-SSL. Would using
> ".'?pagename='.$pagename" instead be more compatible? Both work, but
> the first produces a cleaner-looking URL.
You can also do
if (!@$_SERVER['HTTPS']) Redirect($pagename);
which takes advantage of PmWiki's Redirect-to-page function, and provides
redirects-via-HTML for servers that don't properly process the Location:
header.
> (My original version tested for $_SERVER['SERVER_PORT'] rather than
> $_SERVER['HTTPS'] because I saw the note about "environment variables
> that in some cases may not be provided by the web server" on
> SquirrelMail plugin page referenced in the earlier posting. Either way
> is effective on my server.)
I checked IIS and Apache and both supply the 'HTTPS' variable
in the environment, which is why I used it. I need to read the
SquirrelMail reference, too (thanks).
> > $ScriptUrl = 'https://secure27.vosn.net/~pmichaud/wiki';
> >
>
> You could use the same code "in reverse" to force HTTP instead of HTTPS,
> but using SSL only for certain sensitive pages would mean having two
> possibles values for $ScriptUrl, one for HTTP pages and one for HTTPS
> pages. Could SSL-mode[on|off] somehow be made an attribute of a page or
> WikiGroup? (I don't need this right now. Just wondering...)
It can certainly be done through per-page or per-group customization
files. One could also create a $BrowseDirectives entry that does
something similar based on the markup contents of a wiki page
(I'll write it up if anyone needs it).
Pm
More information about the pmwiki-users
mailing list