[ic] ExtraSecure and special_pages/violation - PATCH

Angus Rogerson arogerso at uwaterloo.ca
Thu Nov 14 17:21:10 UTC 2013


On 2013-11-13, at 10:37 AM, Jon Jensen wrote:

> On Wed, 6 Nov 2013, Angus Rogerson wrote:
> 
>>> On Fri, 25 Oct 2013, Angus Rogerson wrote:
>>> 
>>>> In an email exchange ending with http://www.icdevgroup.org/pipermail/interchange-users/2009-December/051506.html, Jon and Tom described a solution for better behaviour for the ExtraSecure feature.
>>>> 
>>>> In an email http://www.icdevgroup.org/pipermail/interchange-users/2013-May/054042.html, Paul hints at the need for similar functionality.
>>>> 
>>>> The patch below implements this feature in 5.8.0. Sorry, I don't have git.
>>>> 
>>>> With this patch, the user gets a 301 redirect to the secure version of the page instead of the violation page. The logGlobal uses some non-standard CGI values which would need to be added to @Map in Vend::Server.
>>> 
>>> Thanks for sending that, Angus. You mention that you needed to change something in Vend::Server. Will you please send a patch for that too so we can consider the whole set of changes together?
>> 
>> Sorry about the delay. Please find attached patch which adds script_uri to list (@Map) of environment variables to copy to CGI. This is used to log anytime the bounce happens so we can identify who is sending people to the non-secure page.
> 
> Angus,
> 
> Thanks for sending that last little patch along. That's helpful for seeing what you're after.
> 
> I'm a little confused about exactly what is going on here. The SCRIPT_URI environment variable you're using only exists when Apache's mod_rewrite was in effect for the request, which is far from the only way requests pass through to Interchange.
> 
> That is explained here:
> 
> http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
> 
> I could see the patch making sense if it can use one of the standard environment variables Interchange already has. Is there one that would work, or one of the catalog path configuration variables, or something?


We use mod_rewrite in our installation so I didn't realize others did not have access to SCRIPT_URI. Please find attached a revised patch which does not use script_uri, just the referer. This patch does not require any changes to Vend;:Server.

Since users are now being redirected to the correct secure version of the page anyway, it is not terribly important to be able to track down who might be linking to a non-secure version of our page. If for some reason it was important, then it should be possible to use the time the error is logged and the referer to find the offender in the web server logs.

Angus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: VendPageExtraSecurePatchRevised
Type: application/octet-stream
Size: 1632 bytes
Desc: not available
URL: <http://www.icdevgroup.org/pipermail/interchange-users/attachments/20131114/4cc96a4a/attachment.obj>
-------------- next part --------------




More information about the interchange-users mailing list