search

opendcim / openDCIM

An open source (GPL v3) Data Center Inventory Management (DCIM) application.
http://opendcim.org
305 stars 205 forks source link

Device delete and Device add not using HTTP_HOST (HTTPS_HOST) #1048

Open dmbanke opened 6 years ago

dmbanke commented 6 years ago

Direction to the proper Host and Port works except in the case of deleting a device or adding a new device in a non default Host and Port install. In these two cases you move from your current instance of openDCIM to the default port instance (80/443).

wilpig commented 6 years ago

Steps to recreate problem?

dmbanke commented 6 years ago

To recreate the problem you need to create two instances of openDCIM that answer to different ports in Apache. We have one site on port 80 and the second site on 8080. When in the port 80 site everything works correctly. When in the port 8080 site we have found that the Delete Device and Add Device actions drop you back to the port 80 site instead of staying in the 8080 site. We colour coded the banners of the two sites so you know visually that you have changed openDCIM instances.

wilpig commented 6 years ago

I don't know that this can be fixed. Below here I have put in what we have available in the _SERVER php variable for making redirects. To make a valid redirect we need <http(s)>:///. Technically speaking we have the port available that the server is running on, however I think that many people run this behind a proxy or load balancer and might not have the server side on 443 even though the client is. So we would need to collect information about the client target from the client via JS or something that is client facing that we could then pass to the backend to make a better target. The trouble with that is it would be extremely easy to abuse that for cross site script injection attacks.

(
    [UNIQUE_ID] => WyqlvZCGoZz83-eZFdhPKAAAAAA
    [PERL5LIB] => /usr/share/awstats/lib:/usr/share/awstats/plugins
    [HTTPS] => on
    [SSL_TLS_SNI] => dev.opendcim.org
    [HTTP_HOST] => dev.opendcim.org
    [HTTP_USER_AGENT] => Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:59.0) Gecko/20100101 Firefox/59.0
    [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.5
    [HTTP_ACCEPT_ENCODING] => gzip, deflate, br
    [HTTP_COOKIE] => layout=Landscape; devlabels=show; cabpics=show; PHPSESSID=oj4c6uhgp7c12dbvfhe8qcp9a5
    [HTTP_CONNECTION] => keep-alive
    [HTTP_UPGRADE_INSECURE_REQUESTS] => 1
    [HTTP_CACHE_CONTROL] => max-age=0
    [PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
    [SERVER_SIGNATURE] => 
    [SERVER_SOFTWARE] => Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
    [SERVER_NAME] => dev.opendcim.org
    [SERVER_ADDR] => 10.0.0.253
    [SERVER_PORT] => 443
    [REMOTE_ADDR] => 10.0.0.16
    [DOCUMENT_ROOT] => /home/wilpig.com/openDCIM/
    [REQUEST_SCHEME] => https
    [CONTEXT_PREFIX] => 
    [CONTEXT_DOCUMENT_ROOT] => /home/wilpig.com/openDCIM/
    [SERVER_ADMIN] => root@localhost
    [SCRIPT_FILENAME] => /home/wilpig.com/openDCIM/test.php
    [REMOTE_PORT] => 52052
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] => 
    [REQUEST_URI] => /test.php
    [SCRIPT_NAME] => /test.php
    [PHP_SELF] => /test.php
    [REQUEST_TIME_FLOAT] => 1529521597.978
    [REQUEST_TIME] => 1529521597
)
wilpig commented 6 years ago

I'm going to suggest we add an optional configuration option of a server url to use for redirects and if it is set we will use that in the redirect function, if not we'll use the current function as is and attempt to auto detect it.