search

ucla-oarc-mobile / mwf

UCLA Mobile Web Framework
http://mwf.ucla.edu
Other
86 stars 25 forks source link

Increase Infinite Redirect Protection (MWF 1.2) #135

Closed ebollens closed 12 years ago

ebollens commented 12 years ago

While passthru.php was patched in MWF 1.2.14 and is ready for MWF 1.3 (see #133), we extended the fix slightly at UCLA. The reason is that, in addition to passthru.php, there's also reload logic in server.js. The addition that can be made is as follows:

Formerly:

         if(this.mustReload && !mwf.override.isRedirecting){
            document.location.reload();
         }else if(this.mustRedirect && !mwf.override.isRedirecting){
             window.location = site.asset.root+'/passthru.php?return='+encodeURIComponent(win
         }

The fix::

         if(this.mustReload && !mwf.override.isRedirecting){
            var loc = window.location.href;
            if(loc.indexOf('?') == -1) loc += "?";
            if(loc.indexOf('?') < loc.length-1) loc += "&";
            loc += "no_server_init";
            window.location = loc;
         }else if(this.mustRedirect && !mwf.override.isRedirecting){
             window.location = site.asset.root+'/passthru.php?return='+encodeURIComponent(win
         }
Trott commented 12 years ago

Heh. Last night, I was trying to write a test for the fix you already did. I stumbled on this issue and have been working on devising a real-world situation where it is tripped. I think a transparent proxy that disallows cookies will trip it, but I don't know how common that is. (Installing squid right now to see if I can trip it.)

ebollens commented 12 years ago

Let me know if you can trigger the issue. If I just had one of those Blackberry's that have been causing us so many problems, I suspect it would be as easy as querying the URL ;)

ebollens commented 12 years ago

The proposed solution is in. This simply extends the solution for the known issue with passthru.php by doing a reload with window.location instead of calling reload on document.

ebollens commented 12 years ago

Reopening because there's a bug in this.

ebollens commented 12 years ago

Merged the portion that didn't carry over from my fix to UCLA Mobile.

Trott commented 12 years ago

Here's how to trigger. This is a crazy edge case, I'm sure. But killing one crazy edge case we know about probably kills a dozen others we haven't even thought of.

  1. Install a transparent proxy. I use SquidMan to install squid on my Mac.
  2. Turn of caching in squid by adding this to squid.conf (or to the Template in SquidMan): cache deny all
  3. Allow sites to set cookies, but don't pass them on to the client by adding request_header_access Cookie deny all
  4. Restart squid
  5. Set your browser to use squid. (On an iPhone, it's Settings, Wi-Fi, then click the blue arrow-like thing that indicates other settings available for the network you are on, go to HTTP Proxy, Manual tab, and enter the IP and Port for your squid server. (SquidMan default port is 8080.)
  6. Be sure to delete any existing cookies in your browser that might affect testing.
  7. Browse to an MWF site without your fix. Infinite redirect loop.
  8. Browse to a site with your fix, all is well.

I have a Cucumber test that I can commit that more-or-less does this in PHP and JS code without squid. Will commit shortly.

ebollens commented 12 years ago

Does this solve the issue? Make sure to pull both commits since the first was partial only.

On Apr 15, 2012, at 10:41 AM, "Trott" reply@reply.github.com wrote:

Here's how to trigger. This is a crazy edge case, I'm sure. But killing one crazy edge case we know about probably kills a dozen others we haven't even thought of.

  1. Install a transparent proxy. I use SquidMan to install squid on my Mac.
  2. Turn of caching in squid by adding this to squid.conf (or to the Template in SquidMan): cache deny all
  3. Allow sites to set cookies, but don't pass them on to the client by adding request_header_access Cookie deny all
  4. Restart squid
  5. Set your browser to use squid. (On an iPhone, it's Settings, Wi-Fi, then click the blue arrow-like thing that indicates other settings available for the network you are on, go to HTTP Proxy, Manual tab, and enter the IP and Port for your squid server. (SquidMan default port is 8080.)
  6. Be sure to delete any existing cookies in your browser that might affect testing.
  7. Browse to an MWF site without your fix. Infinite redirect loop.
  8. Browse to a site with your fix, all is well.

I have a Cucumber test that I can commit that more-or-less does this in PHP and JS code without squid. Will commit shortly.

Reply to this email directly or view it on GitHub: https://github.com/ucla/mwf/issues/135#issuecomment-5140877