[Pmwiki-users] Easily Hackable?

H. Fox haganfox
Mon Apr 12 14:37:52 CDT 2004 

Patrick R. Michaud wrote:
> On Mon, Apr 12, 2004 at 12:20:06AM -0700, H. Fox wrote:
> 
>>H. Fox wrote:
>>
>>>Not necessarily.  If PmWiki doesn't have a "force into SSL mode" feature 
>>>now, I'm sure it could be added in the future.  ;)
>>
>>I'm having success forcing PmWiki into SSL mode using the following:
>>
>>##  Force into SSL mode.
>>$ScriptUrl = ereg_replace('http:','https:', $ScriptUrl);
>>$PubDirUrl = ereg_replace('http:','https:', $PubDirUrl);
>>if ($_SERVER['SERVER_PORT'] != 443) header('location:'.$ScriptUrl);
> 
> Slightly better might be:
> 
>     # Force to SSL mode
>     $ScriptUrl = str_replace('http:','https:',$ScriptUrl,1);
>     $PubDirUrl = str_replace('http:','https:',$PubDirUrl,1);
>     if (!@$_SERVER['HTTPS']) { header("Location: $ScriptUrl"); exit(); }

That does look better.  How about using

if (!@$_SERVER['HTTPS']) { header("Location: $ScriptUrl.'/'.$pagename"); 
exit(); }

for the last line?  I added ".'/'.$pagename" because otherwise if the 
HTTP URL referred to a WikiPage the redirect went to the default 
HomePage rather than the WikiPage-over-SSL.  Would using 
".'?pagename='.$pagename" instead be more compatible?  Both work, but 
the first produces a cleaner-looking URL.

(My original version tested for $_SERVER['SERVER_PORT'] rather than 
$_SERVER['HTTPS'] because I saw the note about "environment variables 
that in some cases may not be provided by the web server" on 
SquirrelMail plugin page referenced in the earlier posting.  Either way 
is effective on my server.)

> Note that this is highly server dependent--for example, on my webhosting
> provider, the SSL version of http://www.pmichaud.com/wiki/PmWiki/PmWiki
> is https://secure27.vosn.net/~pmichaud/wiki/PmWiki/PmWiki  -- i.e., just
> changing 'http:' to 'https:' in URLs on my web hosting service isn't
> sufficient.  For this reason I usually just set $ScriptUrl and
> $PubDirUrl explicitly rather than using str_replace or ereg_replace:
> 
>    $ScriptUrl = 'https://secure27.vosn.net/~pmichaud/wiki';
> 
> Note also that serving content through SSL can significantly increase
> server loads.  It's often a good idea to use SSL judiciously--to only
> use SSL on those pages that really need to be protected in transit.
> This is also why commercial sites such as Amazon don't use SSL for
> the entire session, but only for those portions where sensitive
> personal information such as credit card numbers or addresses are
> being transmitted over the wires.

You could use the same code "in reverse" to force HTTP instead of HTTPS, 
but using SSL only for certain sensitive pages would mean having two 
possibles values for $ScriptUrl, one for HTTP pages and one for HTTPS 
pages.  Could SSL-mode[on|off] somehow be made an attribute of a page or 
WikiGroup?  (I don't need this right now.  Just wondering...)

Hagan

More information about the pmwiki-users mailing list