Closed
Bug 748665
Opened 13 years ago
Closed 13 years ago
only permit http->https redirects for GET/HEAD requests to bid:80/tcp
Categories
(Cloud Services :: Operations: Deployment Requests - DEPRECATED, task)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: Atoll, Assigned: petef)
Details
(Whiteboard: [qa+])
Currently, we rewrite http: to https: for all requests.
We should only do this for GET requests, and return 400 Non-SSL Request or similar for all others.
done in staging, permitted GET and HEAD requests to keep browsers from harming unaware users.
New rule is:
$method = http.getMethod();
if ($method == 'GET' || $method == 'HEAD') {
$host = http.getHostHeader();
http.changeSite(string.append("https://", $host));
}else {
http.sendResponse('400 Bad Non-SSL Requests Please Use HTTPS', 'application/json', '{"error": "Please use HTTPS rather than HTTP"}', '');
}
Testing confirms expected response with curl -v -D - -X "GET" http://diresworb.org/, -X "HEAD", -X "POST", -X "PUT".
Waiting for :petef review.
|
||
Comment 2•13 years ago
|
||
A quick (expect it to fail) check is `curl -v -H 'Content-type: application/x-www-form-urlencoded' --data-binary 'audience=example.com&assertion=asdfasdfasdf' http://diresworb.org/verify`
|
|
||
Comment 3•13 years ago
|
||
(In reply to John Morrison [:jrgm] from comment #2)
> A quick (expect it to fail) check is `curl -v -H 'Content-type:
> application/x-www-form-urlencoded' --data-binary
> 'audience=example.com&assertion=asdfasdfasdf' http://diresworb.org/verify`
By which I mean, a request over https will be 200 with "malformed assertion" for either prod or stage. A request over http will be 301 to prod, and a request to stage with the change will be '400 Bad Non-SSL Requests Please Use HTTPS'.
Confirmed this is acceptable to :petef, we're deploying as part of tomorrow's production train.
Once deployed, we will restrict only to GET/HEAD methods receiving redirects on :80, with all other methods receiving the above-documented 400 error.
Assignee: nobody → petef
Component: Operations → Operations: Deployment Requests
QA Contact: operations → operations-deploy-requests
Summary: only permit http->https redirects for GET requests to bid:80/tcp → only permit http->https redirects for GET/HEAD requests to bid:80/tcp
Deployed to phx1-idweb, scl2-idweb.
Verified using curl -v -X "HEAD" (or "GET") -H "Host: browserid.org" http://63.245.217.130/foo (and 63.245.209.246)
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Comment 6•13 years ago
|
||
Marking verified based on notes from :atoll and :jrgm in Identity IRC channel.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•