Skip to content

Commit 1dca386

Browse files
committed
Use javascript for redirection to https
The current approach is broken since whitelisting is active in url.php and also allows potential bbcode injection. Signed-off-by: Michal Čihař <michal@cihar.com>
1 parent 6e07862 commit 1dca386

File tree

1 file changed

+12
-15
lines changed

1 file changed

+12
-15
lines changed

Diff for: setup/frames/index.inc.php

+12-15
Original file line numberDiff line numberDiff line change
@@ -73,21 +73,18 @@
7373
. 'sensitive information, like passwords) is transferred unencrypted!'
7474
);
7575

76-
if (!empty($_SERVER['REQUEST_URI']) && !empty($_SERVER['HTTP_HOST'])) {
77-
$link = htmlspecialchars(
78-
'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']
79-
);
80-
$text .= ' ';
81-
$text .= PMA_sanitize(
82-
sprintf(
83-
__(
84-
'If your server is also configured to accept HTTPS requests '
85-
. 'follow [a@%s]this link[/a] to use a secure connection.'
86-
),
87-
$link
88-
)
89-
);
90-
}
76+
$text .= ' <a href="#" onclick="window.location.href = \'https:\' + window.location.href.substring(window.location.protocol.length);">';
77+
78+
// Temporary workaround to use tranlated message in older releases
79+
$text .= str_replace(
80+
array('[a@%s]', '[/a]'),
81+
array('', ''),
82+
__(
83+
'If your server is also configured to accept HTTPS requests '
84+
. 'follow [a@%s]this link[/a] to use a secure connection.'
85+
)
86+
);
87+
$text .= '</a>';
9188
PMA_messagesSet('notice', 'no_https', __('Insecure connection'), $text);
9289
}
9390

0 commit comments

Comments
 (0)