CMS MADE SIMPLE FORGE

Form Browser

 

[#10027] Partially unencrypted data warning in SSL pages

avatar
Created By: Chris Ohmstede (cohmstede)
Date Submitted: Tue Jun 03 04:12:17 -0400 2014

Assigned To: Ryan Foster (RytoEX)
Version: 0.4.2
CMSMS Version: 1.11.10
Severity: Minor
Resolution: Fixed
State: Open
Summary:
Partially unencrypted data warning in SSL pages
Detailed Description:
Hi
Great module.

I'm getting a partially unencrypted data browser warning while using FormBrowser
list view with SSL.

I was able to track the problem down to the images (view.gif, edit.gif,
delete.gif, and newobject.gif)  I was also able to fix the problem in both http
and https by changing the image source path to a relative path in
Browser.class.php.  For example:

Original:
<img src="'.$gCms->config['root_url'].'/modules/FormBrowser/images/view.gif"
alt="'.$mod_ptr->Lang('view').'" />

My fix:
<img src="./modules/FormBrowser/images/view.gif"
alt="'.$mod_ptr->Lang('view').'" />

I'm new to all this so I'm not sure if the fix is valid but the partially
unencrypted data warning is gone and everything is working fine for me now.


History

Comments
avatar
Date: 2014-06-03 04:16
Posted By: Tapio Löytty (Stikki)

Module is not developed anymore. Look into ListIt Extended.
      
avatar
Date: 2016-09-15 07:15
Posted By: Ryan Foster (RytoEX)

After examining the code involved, I've determined that this seems to only
affect the frontend versions of those images.  Image source URLs when on the
admin side are built in a manner similar to what is proposed here - relative
URLs.  I've gone ahead and committed a modified version of the change posted
here as Revision 193 in SVN.  So long as this change doesn't break anything, it
should make it into the next release.

Commit notes:
Some frontend images were using $config['root_url'] to build their 
source URLs. If the frontend user is on a page with served over HTTPS, 
but the root_url used HTTP, this could cause those images to not load. 
This did not occur for admin theme images, which had their source URLs 
built differently ($admintheme->DisplayImage). The affected frontend 
images now have their source URLs built in a similar fashion to backend 
image source URLs.

Possible alternate solutions may be:
 * detect whether the page is served as HTTP or HTTPS
 * if $config['ssl_url'] is specified, always use that
 * use protocol-relative URLs

Option one seems like it may be difficult. See 
http://www.paulirish.com/2010/the-protocol-relative-url/ for options two 
and three.
      
Updates

Updated: 2016-09-15 07:15
resolution_id: 8 => 7
assigned_to_id: 100 => 13490

Updated: 2014-06-03 04:16
resolution_id: 5 => 8

Updated: 2014-06-03 04:13
version_id: -1 => 29691
resolution_id: => 5