Skip to content
This repository has been archived by the owner on Sep 14, 2022. It is now read-only.

Increase Infinite Redirect Protection (MWF 1.2) #135

Closed
ebollens opened this issue Apr 15, 2012 · 7 comments
Closed

Increase Infinite Redirect Protection (MWF 1.2) #135

ebollens opened this issue Apr 15, 2012 · 7 comments
Assignees
@ebollens
Milestone
1.2.15

Comments

@ebollens
Copy link
Contributor

While passthru.php was patched in MWF 1.2.14 and is ready for MWF 1.3 (see #133), we extended the fix slightly at UCLA. The reason is that, in addition to passthru.php, there's also reload logic in server.js. The addition that can be made is as follows:

Formerly:

         if(this.mustReload && !mwf.override.isRedirecting){
            document.location.reload();
         }else if(this.mustRedirect && !mwf.override.isRedirecting){
             window.location = site.asset.root+'/passthru.php?return='+encodeURIComponent(win
         }

The fix::

         if(this.mustReload && !mwf.override.isRedirecting){
            var loc = window.location.href;
            if(loc.indexOf('?') == -1) loc += "?";
            if(loc.indexOf('?') < loc.length-1) loc += "&";
            loc += "no_server_init";
            window.location = loc;
         }else if(this.mustRedirect && !mwf.override.isRedirecting){
             window.location = site.asset.root+'/passthru.php?return='+encodeURIComponent(win
         }
@ghost ghost assigned ebollens Apr 15, 2012
@Trott
Copy link
Contributor

Trott commented Apr 15, 2012

Heh. Last night, I was trying to write a test for the fix you already did. I stumbled on this issue and have been working on devising a real-world situation where it is tripped. I think a transparent proxy that disallows cookies will trip it, but I don't know how common that is. (Installing squid right now to see if I can trip it.)

ebollens added a commit that referenced this issue Apr 15, 2012
@ebollens
Improve infinite redirect protection [#135]
c7a9b18
@ebollens
Copy link
Contributor Author

Let me know if you can trigger the issue. If I just had one of those Blackberry's that have been causing us so many problems, I suspect it would be as easy as querying the URL ;)

@ebollens
Copy link
Contributor Author

The proposed solution is in. This simply extends the solution for the known issue with passthru.php by doing a reload with window.location instead of calling reload on document.

@ebollens ebollens mentioned this issue Apr 15, 2012
Closed
@ebollens ebollens reopened this Apr 15, 2012
@ebollens
Copy link
Contributor Author

Reopening because there's a bug in this.

ebollens added a commit that referenced this issue Apr 15, 2012
@ebollens
Fix to mwf.server for redirect with infinite loop protection [#135]
e84b801
@ebollens
Copy link
Contributor Author

Merged the portion that didn't carry over from my fix to UCLA Mobile.

@Trott
Copy link
Contributor

Trott commented Apr 15, 2012

Here's how to trigger. This is a crazy edge case, I'm sure. But killing one crazy edge case we know about probably kills a dozen others we haven't even thought of.

  1. Install a transparent proxy. I use SquidMan to install squid on my Mac.
  2. Turn of caching in squid by adding this to squid.conf (or to the Template in SquidMan): cache deny all
  3. Allow sites to set cookies, but don't pass them on to the client by adding request_header_access Cookie deny all
  4. Restart squid
  5. Set your browser to use squid. (On an iPhone, it's Settings, Wi-Fi, then click the blue arrow-like thing that indicates other settings available for the network you are on, go to HTTP Proxy, Manual tab, and enter the IP and Port for your squid server. (SquidMan default port is 8080.)
  6. Be sure to delete any existing cookies in your browser that might affect testing.
  7. Browse to an MWF site without your fix. Infinite redirect loop.
  8. Browse to a site with your fix, all is well.

I have a Cucumber test that I can commit that more-or-less does this in PHP and JS code without squid. Will commit shortly.

@ebollens
Copy link
Contributor Author

Does this solve the issue? Make sure to pull both commits since the first was partial only.

On Apr 15, 2012, at 10:41 AM, "Trott" reply@reply.github.com wrote:

Here's how to trigger. This is a crazy edge case, I'm sure. But killing one crazy edge case we know about probably kills a dozen others we haven't even thought of.

  1. Install a transparent proxy. I use SquidMan to install squid on my Mac.
  2. Turn of caching in squid by adding this to squid.conf (or to the Template in SquidMan): cache deny all
  3. Allow sites to set cookies, but don't pass them on to the client by adding request_header_access Cookie deny all
  4. Restart squid
  5. Set your browser to use squid. (On an iPhone, it's Settings, Wi-Fi, then click the blue arrow-like thing that indicates other settings available for the network you are on, go to HTTP Proxy, Manual tab, and enter the IP and Port for your squid server. (SquidMan default port is 8080.)
  6. Be sure to delete any existing cookies in your browser that might affect testing.
  7. Browse to an MWF site without your fix. Infinite redirect loop.
  8. Browse to a site with your fix, all is well.

I have a Cucumber test that I can commit that more-or-less does this in PHP and JS code without squid. Will commit shortly.

Reply to this email directly or view it on GitHub:
#135 (comment)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ebollens ebollens

Labels
None yet
Projects
None yet
Milestone
1.2.15
Development

No branches or pull requests
2 participants
@Trott @ebollens