[Pmwiki-users] Easily Hackable?

Patrick R. Michaud pmichaud
Mon Apr 12 14:55:00 CDT 2004


On Mon, Apr 12, 2004 at 01:42:22PM -0700, H. Fox wrote:
> 
> Patrick R. Michaud wrote:
> >    # Force to SSL mode
> >    $ScriptUrl = str_replace('http:','https:',$ScriptUrl,1);
> >    $PubDirUrl = str_replace('http:','https:',$PubDirUrl,1);
> >    if (!@$_SERVER['HTTPS']) { header("Location: $ScriptUrl"); exit(); }
> 
> That does look better.  How about using
> 
> if (!@$_SERVER['HTTPS']) { header("Location: $ScriptUrl.'/'.$pagename"); 
> exit(); }
> 
> for the last line?  I added ".'/'.$pagename" because otherwise if the 
> HTTP URL referred to a WikiPage the redirect went to the default 
> HomePage rather than the WikiPage-over-SSL.  Would using 
> ".'?pagename='.$pagename" instead be more compatible?  Both work, but 
> the first produces a cleaner-looking URL.

You can also do

  if (!@$_SERVER['HTTPS']) Redirect($pagename);

which takes advantage of PmWiki's Redirect-to-page function, and provides
redirects-via-HTML for servers that don't properly process the Location:
header.

> (My original version tested for $_SERVER['SERVER_PORT'] rather than 
> $_SERVER['HTTPS'] because I saw the note about "environment variables 
> that in some cases may not be provided by the web server" on 
> SquirrelMail plugin page referenced in the earlier posting.  Either way 
> is effective on my server.)

I checked IIS and Apache and both supply the 'HTTPS' variable
in the environment, which is why I used it.   I need to read the
SquirrelMail reference, too (thanks).

> >   $ScriptUrl = 'https://secure27.vosn.net/~pmichaud/wiki';
> >
> 
> You could use the same code "in reverse" to force HTTP instead of HTTPS, 
> but using SSL only for certain sensitive pages would mean having two 
> possibles values for $ScriptUrl, one for HTTP pages and one for HTTPS 
> pages.  Could SSL-mode[on|off] somehow be made an attribute of a page or 
> WikiGroup?  (I don't need this right now.  Just wondering...)

It can certainly be done through per-page or per-group customization
files.  One could also create a $BrowseDirectives entry that does
something similar based on the markup contents of a wiki page
(I'll write it up if anyone needs it).

Pm



More information about the pmwiki-users mailing list