User tests: Successful: Unsuccessful:
When adding the scheme to an URL use correct scheme (http or https) and port.
Checking for "http" or "https" via strstr() in the URL matched also these strings embedded in the URL (e.g. in /static/http/index.html), due to that checks changed to strpos().
Labels |
Added:
?
|
Status | Pending | ⇒ | Closed - No Reply |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-01-01 13:01:15 |
Closed_By | ⇒ | brianteeman |
Thanks for working on this. Unfortunately this did not make it into the final release of Joomla 2.5, or it was handled elsewhere, so this is being closed. If you feel this is still a valid issue in Joomla 3 please create a new issue.
Well it is still an issue with Joomla 3 and I've already created a
separate ticket regarding this issue, please see #4670 for details.
Am 01.01.2015 um 14:01 schrieb Brian Teeman:
Thanks for working on this. Unfortunately this did not make it into the
final release of Joomla 2.5, or it was handled elsewhere, so this is
being closed. If you feel this is still a valid issue in Joomla 3 please
create a new issue.
_This comment was created with the J!Tracker Application
https://github.com/joomla/jissues at issues.joomla.org/joomla-cms/4669
http://issues.joomla.org/tracker/joomla-cms/4669.—
Reply to this email directly or view it on GitHub
#4669 (comment).
Suppose you have a website accessible via HTTPS and/or via a non-standard port (e.g. 81). If you create an Iframe wrapper menu item pointing to a static page within your website by default the scheme "http://" and the current server name is prefixed to the given URL if it starts with "/".
You might test this with the static page "/logs/index.html". If you set up your web server such that you access all pages e.g. via port 81 only you'll get an error within your browser when loading the Iframe since it will try to load that page via port 80. Similarily when using HTTPS instead of HTTP the browser will load the Iframe via HTTP and it will probably complain about mixed content (insecure content within secure context).
Moreover I found an improper test for the schemes "http" and "https" in this context. The function strstr() returns a match for these strings even if they are embedded anywhere in the URL. I changed this test such that it now checks for "http://" or "https://" at the beginning of the URL by means of strpos().