269012 - SSL should be added to protect admin authentication

Status: RESOLVED FIXED

(Webtools :: Bouncer, defect)

Description

[Michael Morgan [:morgamic]]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041102 Firefox/1.0RC1 (Debian package 0.99+1.0RC1-3)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041102 Firefox/1.0RC1 (Debian package 0.99+1.0RC1-3)

Right now SSL is not enabled on DMO.  It should be enabled for all admin tools
(or at least for login.php).

Reproducible: Always
Steps to Reproduce:

Comment 1

[Michael Morgan [:morgamic]]

This is a bit old, but we will need it.  Will add LDAP soon and will require it anyway.  Would be nice to uh fix this.  :)

Comment 2

[Michael Morgan [:morgamic]]

I will reassign to IT after the LDAP patch has landed.

Comment 3

[Michael Morgan [:morgamic]]

(In reply to comment #2)
> I will reassign to IT after the LDAP patch has landed.
Actually it would be better to fix this sooner than later -- it has to be in place BEFORE LDAP anyway -- so reassigning to IT.

Comment 4

[Reed Loden [:reed]]

https://download.mozilla.org/admin/login.php loads for me, so I think bouncer is redirecting users that go to https://download.mozilla.org/admin/ to the non-ssl http version. I remember specifically asking mrz to make sure https worked for download.m.o. Bouncer should probably be configured to use the https version of the URL. I'm not sure if this would require a code change or just a config change.

Comment 5

[chizu]

I've made the config change for this. Redirect in php/cfg/admin_init.php changed from http to https.

Comment 6

[Michael Morgan [:morgamic]]

Thanks guys -- I will mess w/ templates over the next week to fix the broken padlock.  It's pulling from non-SSL mozilla.org for some of the images.

Comment 7

[Reed Loden [:reed]]

Attachment: patch - v1

Use https:// instead of http:// for admin links, use https://www.mozilla.org for stylesheets, update some old code from years ago, and other stuff.

Comment 8

[Michael Morgan [:morgamic]]

Comment on attachment 280206 [details] [diff] [review]
patch - v1

Should replace https/http w/ a config constant so it can work on test boxes w/ out SSL.

Comment 9

[Reed Loden [:reed]]

Attachment: patch - v2

Create and use a "PROTOCOL" config option. SSL is only used for the admin and CSS stylesheets if PROTOCOL is set to https. https is the default for security reasons.

Comment 10

[Michael Morgan [:morgamic]]

Comment on attachment 280431 [details] [diff] [review]
patch - v2

Looks good -- thanks Reed.  I will file a bug to get it pushed tomorrow night.  Will have to make sure we add PROTOCOL to the local config.

Comment 11

[Michael Morgan [:morgamic]]

This means I will file it & I will handle it.  There are other bouncer changes we don't want to push.

Comment 12

[Reed Loden [:reed]]

Uh, why did you assign this bug to yourself?

Comment 13

[Michael Morgan [:morgamic]]

Do I need to start Bugzilla Anonymous?

Comment 14

[Jeremy Orem [:oremj]]

Sending        php/admin/index.php
Sending        php/admin/locations.php
Sending        php/admin/login.php
Sending        php/admin/logout.php
Sending        php/admin/os.php
Sending        php/admin/products.php
Sending        php/admin/regions.php
Sending        php/admin/users.php
Sending        php/cfg/admin_init.php
Sending        php/cfg/config-dist.php
Sending        php/inc/footer.php
Sending        php/inc/header.php
Sending        php/mozilla.js
Transmitting file data .............
Committed revision 11289.

Comment 15

[Reed Loden [:reed]]

Just need this tagged for production now...