lib/RT/Interface/Web.pm::Redirect() broken...?

RT Developers
1

v 3.6.1 (3.6.1_1 FreeBSD Ports)

Something caught me by surprise… locally I have RT available by SSL
and non SSL - I discourage the use of non-SSL, but don’t stop it…

For debugging purposes only I added a couple of warnings to
lib/RT/Interface/Web.pm::Redirect() the function and results are below…

sub Redirect {
my $redir_to = shift;
untie $HTML::Mason::Commands::session;
my $uri = URI->new($redir_to);
my $server_uri = URI->new($RT::WebURL);

warn("redir_to=$redir_to, WebURL=$RT::WebURL, uri->host=" .

$uri->host . “, server_uri->host=” . $server_uri->host . “, uri->port=”
. $uri->port . “, server_uri->port=” . $server_uri->port);
# If the user is coming in via a non-canonical
# hostname, don’t redirect them to the canonical host,
# it will just upset them (and invalidate their credentials)
if ($uri->host eq $server_uri->host &&
$uri->port eq $server_uri->port) {
$uri->host($ENV{‘HTTP_HOST’});
$uri->port($ENV{‘SERVER_PORT’});
}

warn("Redirecting to:" . $uri->canonical);
$HTML::Mason::Commands::m->redirect($uri->canonical);
$HTML::Mason::Commands::m->abort;

}

Logged:

[Wed Dec 13 03:30:54 2006] [warning]:
redir_to=https://rt-dev.sorbs.net:443/Ticket/Display.html?id=136504,
WebURL=https://rt-dev.sorbs.net:443/, uri->host=rt-dev.sorbs.net,
server_uri->host=rt-dev.sorbs.net, uri->port=443, server_uri->port=443
at /usr/local/rt3/lib/RT/Interface/Web.pm line 190.
(/usr/local/rt3/lib/RT/Interface/Web.pm:190)
[Wed Dec 13 03:30:54 2006] [warning]: Redirecting
to:https://rt-dev.sorbs.net:80/Ticket/Display.html?id=136504 at
/usr/local/rt3/lib/RT/Interface/Web.pm line 200.
(/usr/local/rt3/lib/RT/Interface/Web.pm:200)

… I guess the question is why if the server_uri and uri are the same
are we setting uri to the envelope settings? … I’m guessing that it’s
so you redirect back to the server regardless of the config setting…
but if you’re doing that why not pickup the scheme…?

My fix until someone comes up with something better is:

sub Redirect {
my $redir_to = shift;
untie $HTML::Mason::Commands::session;
my $uri = URI->new($redir_to);
my $server_uri = URI->new($RT::WebURL);

# If the user is coming in via a non-canonical
# hostname, don't redirect them to the canonical host,
# it will just upset them (and invalidate their credentials)
if ($uri->host  eq $server_uri->host &&
    $uri->port eq $server_uri->port) {
        $uri->host($ENV{'HTTP_HOST'});
        $uri->port($ENV{'SERVER_PORT'});
        $uri->scheme((exists $ENV{'SCRIPT_URI'} &&

$ENV{‘SCRIPT_URI’} =~ /^https:/) ? “https” : “http”);
}

$HTML::Mason::Commands::m->redirect($uri->canonical);
$HTML::Mason::Commands::m->abort;

}

Regards,

Mat

2

Matthew Sullivan wrote:

My fix until someone comes up with something better is:

sub Redirect {
my $redir_to = shift; untie $HTML::Mason::Commands::session;
my $uri = URI->new($redir_to);
my $server_uri = URI->new($RT::WebURL);

If the user is coming in via a non-canonical

hostname, don’t redirect them to the canonical host,

it will just upset them (and invalidate their credentials)

if ($uri->host eq $server_uri->host &&
$uri->port eq $server_uri->port) {
$uri->host($ENV{‘HTTP_HOST’});
$uri->port($ENV{‘SERVER_PORT’});
$uri->scheme((exists $ENV{‘SCRIPT_URI’} &&
$ENV{‘SCRIPT_URI’} =~ /^https:/) ? “https” : “http”);
}
$HTML::Mason::Commands::m->redirect($uri->canonical);
$HTML::Mason::Commands::m->abort;
}
and that still screws up…

suggestions welcome.

/ Mat

3

How is that screwing up?------- Original message -------
From: Matthew Sullivan matthew@sorbs.net
Sent: 12/13, 21:40

Matthew Sullivan wrote:

My fix until someone comes up with something better is:

sub Redirect {
my $redir_to = shift; untie $HTML::Mason::Commands::session;
my $uri = URI->new($redir_to);
my $server_uri = URI->new($RT::WebURL);

If the user is coming in via a non-canonical

hostname, don’t redirect them to the canonical host,

it will just upset them (and invalidate their credentials)

if ($uri->host eq $server_uri->host &&
$uri->port eq $server_uri->port) {
$uri->host($ENV{‘HTTP_HOST’});
$uri->port($ENV{‘SERVER_PORT’});
$uri->scheme((exists $ENV{‘SCRIPT_URI’} &&
$ENV{‘SCRIPT_URI’} =~ /^https:/) ? “https” : “http”);
}
$HTML::Mason::Commands::m->redirect($uri->canonical);
$HTML::Mason::Commands::m->abort;
}
and that still screws up…

suggestions welcome.

/ Mat

List info: The rt-devel Archives

4

Jesse Vincent wrote:

How is that screwing up?

ended up with: http://rt.sorbs.net:443/

I’m thinking that the entire rewrite code should be
“turn-offable”(RT_Config.pm var?) … It would work fine if I was
running multiple different servers etc… problem is I’m running one
server on 2 ports, one ssl and one non ssl … (it would also be nice to
tie it into the cookie as well so that the login cookie is valid for
http and https).

Regards,

Mat

5

Matthew Sullivan wrote:

Jesse Vincent wrote:

How is that screwing up?

ended up with: http://rt.sorbs.net:443/

I’m thinking that the entire rewrite code should be
“turn-offable”(RT_Config.pm var?) … It would work fine if I was
running multiple different servers etc… problem is I’m running one
server on 2 ports, one ssl and one non ssl … (it would also be nice to
tie it into the cookie as well so that the login cookie is valid for
http and https).

How about this:

— etc/RT_Config.pm.orig Mon Dec 18 21:16:47 2006
+++ etc/RT_Config.pm Mon Dec 18 20:49:04 2006
@@ -357,6 +357,12 @@
Set($WebNoAuthRegex, qr!^(?:/+NoAuth/|
/+REST/\d+.\d+/NoAuth/)!x );

+# $MulitportSupport if you run the RT server on more than one port (eg
if you are
+# running RT both SSL’d and non SSL’d for the same server set this to

  1. this will
    +# stop RT from rewriting the URL upon redirects, default is 0 which
    will rewrite
    +# URLs and allow RT to run on multiple ports.
    +Set($MulitportSupport, 0);

For message boxes, set the entry box width and what type of wrapping

to use.

— share/html/Elements/SetupSessionCookie.orig Mon Dec 18 20:33:16 2006
+++ share/html/Elements/SetupSessionCookie Mon Dec 18 20:36:27 2006
@@ -47,7 +47,7 @@
return if $m->is_subrequest; # avoid reentrancy, as suggested by masonbook

my %cookies = CGI::Cookie->fetch();
-my $cookiename = “RT_SID_”.$RT::rtname.“.”.$ENV{‘SERVER_PORT’};
+my $cookiename = “RT_SID_”.$RT::rtname.“.”.($RT::MulitportSupport ? “”
: $ENV{‘SERVER_PORT’});
my %backends = (
mysql => ‘Apache::Session::MySQL’,
Pg => ‘Apache::Session::Postgres’,
— lib/RT/Interface/Web.pm.orig Mon Dec 18 20:42:46 2006
+++ lib/RT/Interface/Web.pm Mon Dec 18 20:42:08 2006
@@ -187,14 +187,18 @@
my $uri = URI->new($redir_to);
my $server_uri = URI->new($RT::WebURL);

  • If the user is coming in via a non-canonical

  • hostname, don’t redirect them to the canonical host,

  • it will just upset them (and invalidate their credentials)

  • if ($uri->host eq $server_uri->host &&
  •    $uri->port eq $server_uri->port) {

  •        $uri->host($ENV{'HTTP_HOST'});

  •        $uri->port($ENV{'SERVER_PORT'});

  •    }
  • unless ($RT::MulitportSupport)
  • {
  •    # If the user is coming in via a non-canonical

  •    # hostname, don't redirect them to the canonical host,

  •    # it will just upset them (and invalidate their credentials)

  •    if ($uri->host  eq $server_uri->host &&

  •        $uri->port eq $server_uri->port) {

  •            $uri->host($ENV{'HTTP_HOST'});

  •            $uri->port($ENV{'SERVER_PORT'});

  •            $uri->scheme((exists $ENV{'SCRIPT_URI'} &&

$ENV{‘SCRIPT_URI’} =~ /^https:/) ? “https” : “http”);

  •        }

  • }

    $HTML::Mason::Commands::m->redirect($uri->canonical);
    $HTML::Mason::Commands::m->abort;

(tested works for me)

Regards

Mat