[ Proposal – v.2.8.3 ] Security - avoiding hardcoded 'http:'

You have a suggestion for a future version of phpMyFAQ? Then post it here!

Moderator: Thorsten

Post Reply
pt20100201
Posts: 133
Joined: Mon Feb 01, 2010 2:11 pm
Location: Porto . Portugal
Contact:

[ Proposal – v.2.8.3 ] Security - avoiding hardcoded 'http:'

Post by pt20100201 » Fri Nov 22, 2013 8:24 pm

[ Proposal – v.2.8.3 ] Security - avoiding hardcoded 'http:' string
.
Dear Thorsten Rinne / Development Team

phpMyFAQ allows more than one mode of secure access/communication.

However, reading the code we found many hardcoded "http:" strings.

Are these strings used in HTTP headers that don't allow "https"?

If not, they should change accordingly to the administrator option (HTTP vs HTTPS) and, thus be stored in a variable.

Note
Many (but not all) are in phpMyFAQ bundled (external) components.

Nevertheless, in order to support phpMyFAQ's “secure communication” statement, those files must also be edited.

The attached compressed folder
  • phpmyfaq-2-8-3-files-w-hardcoded-http-or-https-20131122.zip
contains four files:
  • phpmyfaq-2-8-3-files-w-hardcoded-http-file-list-20131122.txt
  • phpmyfaq-2-8-3-files-w-hardcoded-https-file-list-20131122.txt
  • phpmyfaq-2-8-3-files-w-hardcoded-http-file+line-w-str-list-20131122.txt
  • phpmyfaq-2-8-3-files-w-hardcoded-https-file+line-w-str-list-20131122.txt
Commands used (on GNU/Linux) - on the folder created by uncompressing the phpMyFAQ downloaded file.
Note: the directories (folders) must exist.

List of files containing “http:” or “https:”

Code: Select all

grep -r -l -i "http:" . >> /tmp/1/ficheiros-c-http.txt
grep -r -l -i "https:" . >> /tmp/1/ficheiros-c-https.txt
[/b]
List of files and line(s) with the hardcoded string:

Code: Select all

grep -r -i "http:" . >> /tmp/1/ficheiros-c-http+str.txt
grep -r -i "https:" . >> /tmp/1/ficheiros-c-https+str.txt
[/b][/size]
..
Kind regards
2013-11-20
pt20100201
..
You do not have the required permissions to view the files attached to this post.

Thorsten
Posts: 14781
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: [ Proposal – v.2.8.3 ] Security - avoiding hardcoded 'ht

Post by Thorsten » Fri Nov 22, 2013 8:45 pm

Hi,

I'll fix that for the internal code: https://github.com/thorsten/phpMyFAQ/issues/772

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

Thorsten
Posts: 14781
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: [ Proposal – v.2.8.3 ] Security - avoiding hardcoded 'ht

Post by Thorsten » Sun Nov 24, 2013 4:50 pm

Hi,

fixed most of the hardcoded "http" stuff with 2.8.4

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

Post Reply