Closed Bug 974577 Opened 11 years ago Closed 11 years ago

buglist.cgi "My Bugs" on "Home" redirects to non-HTTPS URL

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: moz, Unassigned)

Details

User Agent: Build ID: 20140203105410 Steps to reproduce: Logged in to some Bugzilla 4.4 installations (could be 4.4.1 or 4.4.2 too). Use HTTPS only. Click on "My Bugs" URL. For example on https://bugzilla.redhat.com/ clicking the URL https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=VERIFIED&bug_status=ASSIGNED&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&bug_status=RELEASE_PENDING&bug_status=POST&email1=[SCRUBBED]&emailtype1=exact&emailassigned_to1=1&emailreporter1=1&emailcc1=1 (real email address [SCRUBBED] by me) Actual results: I get redirected (HTTP 302 Found) to the http://bugzilla.example.com/buglist.cgi page which in turn redirects to a https://bugzilla.example.com/buglist.cgi page. There are 2 problems with that: • My Search URL (including email address) and cookies are leaked to a possible man in the middle (security) • Unnecessary redirection (performance, server load) Expected results: Bugzilla should keep my connection HTTPS-only. There is no need to force HTTP. This bug was also reported on https://bugzilla.kernel.org/show_bug.cgi?id=68921 and https://bugzilla.redhat.com/show_bug.cgi?id=1054889 for 2 affected versions of bugzilla. Konstantin Ryabitsev of bugzilla.kernel.org found a workaround: > I worked around it by setting "SetEnv HTTPS=on" in Apache.
I cannot reproduce. It correctly redirects to https://. Are you sure your load balancer isn't the culprit? Or that the config mixes urlbase and sslbase?
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.