Patchwork Add a config option to FORCE_HTTPS_LINKS

login
register
mail settings
Submitter Konstantin Ryabitsev
Date Oct. 11, 2013, 2:47 p.m.
Message ID <1381502850-20246-1-git-send-email-mricon@kernel.org>
Download mbox | patch
Permalink /patch/282781/
State Accepted
Headers show

Comments

Konstantin Ryabitsev - Oct. 11, 2013, 2:47 p.m.
In situations where SSL is terminated at the load-balancer, we cannot
rely on guessing the scheme based on whether patchwork itself was
accessed via http or https, since the last-leg is always going to be
done over http.

Unfortunately, wrongly using http:// URLs results in unusable
.pwclientrc files, since xmlrpc does not handle http->https redirects
and instead displays a traceback.

This change introduces a FORCE_HTTPS_LINKS option, which forces
pwclientrc links to always return "https" regardless of how the project
itself is accessed.

It appears that the http/https check is currently only used for
generating pwclientrc -- a lot of other places seem to hardcode
"http://" and rely on the server to transparently upgrade the
connection. This is not a secure approach (it allows for MITM and
SSL-Strip attacks) and therefore all places currently hardcoding
http://{{site.domain}} and similar should be switched to using the
"sheme" variable, the same as done for generating pwclientrc files.
---
 apps/patchwork/views/base.py | 2 +-
 apps/settings.py             | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)
Jeremy Kerr - Oct. 13, 2013, 7:16 a.m.
Hi Konstantin,

> In situations where SSL is terminated at the load-balancer, we cannot
> rely on guessing the scheme based on whether patchwork itself was
> accessed via http or https, since the last-leg is always going to be
> done over http.
> 
> Unfortunately, wrongly using http:// URLs results in unusable
> .pwclientrc files, since xmlrpc does not handle http->https redirects
> and instead displays a traceback.
> 
> This change introduces a FORCE_HTTPS_LINKS option, which forces
> pwclientrc links to always return "https" regardless of how the project
> itself is accessed.

Great, thanks for the contribution. I've merged your patch.

> It appears that the http/https check is currently only used for
> generating pwclientrc -- a lot of other places seem to hardcode
> "http://" and rely on the server to transparently upgrade the
> connection. This is not a secure approach (it allows for MITM and
> SSL-Strip attacks) and therefore all places currently hardcoding
> http://{{site.domain}} and similar should be switched to using the
> "sheme" variable, the same as done for generating pwclientrc files.

Yep, I'd agree. I'll add this to my TODO (unless you beat me to it!)

Cheers,


Jeremy

Patch

diff --git a/apps/patchwork/views/base.py b/apps/patchwork/views/base.py
index 82c0368..6b54a9b 100644
--- a/apps/patchwork/views/base.py
+++ b/apps/patchwork/views/base.py
@@ -42,7 +42,7 @@  def pwclientrc(request, project_id):
     project = get_object_or_404(Project, linkname = project_id)
     context = PatchworkRequestContext(request)
     context.project = project
-    if request.is_secure():
+    if settings.FORCE_HTTPS_LINKS or request.is_secure():
         context['scheme'] = 'https'
     else:
         context['scheme'] = 'http'
diff --git a/apps/settings.py b/apps/settings.py
index 537c380..43a37d8 100644
--- a/apps/settings.py
+++ b/apps/settings.py
@@ -114,6 +114,11 @@  ENABLE_XMLRPC = False
 # of patchwork
 COMPAT_REDIR = True
 
+# Set to True to always generate https:// links instead of guessing
+# the scheme based on current access. This is useful if SSL protocol
+# is terminated upstream of the server (e.g. at the load balancer)
+FORCE_HTTPS_LINKS = False
+
 try:
     from local_settings import *
 except ImportError, ex: