add and use cgiurl_abs_samescheme

* emailauth: Fix cookie problem when user is on https and the cgiurl
   uses http, by making the emailed login link use https.
 * passwordauth: Use https for emailed password reset link when user
   is on https.

Not entirely happy with this approach, but I don't currently see a
better one.

I have not verified that the passwordauth change fixes any problem,
other than the user getting a http link when they were using https.
The emailauth problem is verified fixed by this commit.

This commit was sponsored by Michael Magin.
master
Joey Hess 2018-01-05 11:40:18 -04:00
parent 71064e3af6
commit a79ab9ed18
No known key found for this signature in database
GPG Key ID: DB12DB0FF05F8F38
5 changed files with 42 additions and 5 deletions

View File

@ -1232,6 +1232,19 @@ sub cgiurl_abs (@) {
URI->new_abs(cgiurl(@_), $config{cgiurl}); URI->new_abs(cgiurl(@_), $config{cgiurl});
} }
# Same as cgiurl_abs, but when the user connected using https,
# will be a https url even if the cgiurl is normally a http url.
#
# This should be used for anything involving emailing a login link,
# because a https session cookie will not be sent over http.
sub cgiurl_abs_samescheme (@) {
my $u=cgiurl_abs(@_);
if (($ENV{HTTPS} && lc $ENV{HTTPS} ne "off")) {
$u=~s/^http:/https:/i;
}
return $u
}
sub baseurl (;$) { sub baseurl (;$) {
my $page=shift; my $page=shift;

View File

@ -76,7 +76,7 @@ sub email_auth ($$$$) {
$template->param( $template->param(
wikiname => $config{wikiname}, wikiname => $config{wikiname},
# Intentionally using short field names to keep link short. # Intentionally using short field names to keep link short.
authurl => IkiWiki::cgiurl_abs( authurl => IkiWiki::cgiurl_abs_samescheme(
'e' => $email, 'e' => $email,
'v' => $token, 'v' => $token,
), ),

View File

@ -358,7 +358,7 @@ sub formbuilder (@) {
my $template=template("passwordmail.tmpl"); my $template=template("passwordmail.tmpl");
$template->param( $template->param(
user_name => $user_name, user_name => $user_name,
passwordurl => IkiWiki::cgiurl_abs( passwordurl => IkiWiki::cgiurl_abs_samescheme(
'do' => "reset", 'do' => "reset",
'name' => $user_name, 'name' => $user_name,
'token' => $token, 'token' => $token,

4
debian/changelog vendored
View File

@ -1,5 +1,9 @@
ikiwiki (3.20171002) UNRELEASED; urgency=medium ikiwiki (3.20171002) UNRELEASED; urgency=medium
* emailauth: Fix cookie problem when user is on https and the cgiurl
uses http, by making the emailed login link use https.
* passwordauth: Use https for emailed password reset link when user
is on https.
* Updated German basewiki and directives translation from * Updated German basewiki and directives translation from
Sebastian Kuhnert. Sebastian Kuhnert.

View File

@ -18,10 +18,21 @@ firefox-esr, or chromium. --[[Joey]]
> Ok, to reproduce the problem: Log into joeyh.name using https. The email > Ok, to reproduce the problem: Log into joeyh.name using https. The email
> login link is a http link. The session cookie was set https-only. > login link is a http link. The session cookie was set https-only.
> --[[Joey]] > --[[Joey]]
>
> The reason the edit form is able to be displayed is that emailauth
> sets up a session, in getsession(), and that $session is used for the
> remainder of that cgi call. But, a cookie for that session is not stored
> in the browser in this case. Ikiwiki *does* send a session cookie, but
> the browser seems to not let an existing https-only session cookie be
> replaced by a new session cookie that can be used with http. (If the
> emailed link, generated on https is opened in a different browser, this
> problem doesn't happen.) There may have been a browser behavior change
> here?
>
> So what to do about this? Sites with the problem have `redirect_to_https: 0` > So what to do about this? Sites with the problem have `redirect_to_https: 0`
> and the cgiurl is http not https. So when emailauth generates the url, > and the cgiurl is http not https. So when emailauth generates the url
> it's a http url, even if the user got to that point using https. > with `cgiurl_abs`, it's a http url, even if the user got to that point
> using https.
> >
> I suppose that emailauth could look at `$ENV{HTTPS}` same as > I suppose that emailauth could look at `$ENV{HTTPS}` same as
> printheader() does, to detect this case, and rewrite the cgiurl as a > printheader() does, to detect this case, and rewrite the cgiurl as a
@ -31,3 +42,12 @@ firefox-esr, or chromium. --[[Joey]]
> >
> Of course, the easy workaround, increasingly a good idea anyway, is to > Of course, the easy workaround, increasingly a good idea anyway, is to
> enable `redirect_to_https`.. --[[Joey]] > enable `redirect_to_https`.. --[[Joey]]
> One of the users also reported a problem with password reset, and
> indeed, passwordauth is another caller of `cgiurl_abs`. (The only other
> caller, notifyemail, is probably fine.) The emailed password reset link
> also should be https if the user was using https. So, let's add a
> `cgiurl_abs_samescheme` that both can use. --[[Joey]]
[[fixed|done]].. At least I hope that was the thing actually preventing most
of the people from logging in. --[[Joey]]