Page MenuHomeIn-Portal Phabricator
Differential D511

INP-1903 - Disallow opening a website on unsupported domains/protocols
AcceptedPublic
Actions

Authored by alex on Mar 5 2025, 10:29 AM.

Details

Reviewers
erik
Test Plan
IMPORTANT: Replace test.domain.com with the domain you're using during test execution.

Preconditions

  1. the patch from D514 must be applied
  2. the HTTP code of the page can be seen in the Network of the Web Browser inspector
  3. check for not allowed/domain protocol combo looks like this:
    • with Debug Mode disabled:
      • the page is blank
      • the HTTP 404 error code sent
    • with Debug Mode enabled:
      • the page displays a debugger toolbar and the The "..." protocol/domain combo is not allowed. text (the ... is replaced with used domain/protocol)
      • the HTTP 404 error code sent
  4. used domains:
    • test.domain.com - base domain for testing
    • sd1-http.test.domain.com - domain, where 1st site domain could be accessed via http:// protocol
    • sd1-https.test.domain.com - domain, where 1st site domain could be accessed via https:// protocol
    • sd2-http.test.domain.com - domain, where 2nd site domain could be accessed via http:// protocol
    • admin1-https.test.domain.com - domain, where Admin Console can be accessed over https
    • admin2-https.test.domain.com - domain, where Admin Console can be accessed over https
    • front-https.test.domain.com - domain, where Front-End can be accessed over https

Preparations

IMPORTANT: Don't apply the patch yet.
  • in any editor:
    1. open the OS-specific hosts file (the C:\Windows\System32\drivers\etc\hosts on Windows; the /etc/hosts on macOS/Linux) for editing as Administrator
    2. add entries for each of the above-shown domains in there (e.g. if you have aaa.bbb.ccc.ddd test.domain.com entry, then add aaa.bbb.ccc.ddd sd1-http.test.domain.com entry and so on)
    3. save changes
  • in the IDE:
    1. open the /system/config.php file for editing
    2. set the $_CONFIG['Misc']['Domain'] setting to the test.domain.com
    3. save changes
    4. open the themes/advanced/index.tpl file for editing
    5. add the [Site Domain ID: <inp2:site-domain.current_Field name="DomainId"/>]<br/> line above the <inp2:st_ContentBlock num="1"/> line
    6. save changes
  • in the Admin Console:
    1. login to the Admin Console by accessing it on the test.domain.com domain over http:// protocol
    2. go to the ConfigurationWebsiteAdvanced section
    3. clear these system settings:
      • SSL Domain (www.domain.com)
      • SSL Domain for Administrative Console (www.domain.com)
    4. uncheck these system settings:
      • Require SSL for login & checkout
      • Require SSL for Administrative Console
    5. set Session Cookie Domains (single domain per line) system setting to this value (multi-line):
test.domain.com
admin1-https.test.domain.com
admin2-https.test.domain.com
front-https.test.domain.com
sd1-http.test.domain.com
sd1-https.test.domain.com
sd2-http.test.domain.com
    1. save changes
    2. go to the ConfigurationWebsiteSite Domains section
    3. add 1st site domain with Domain Name=sd1-http.test.domain.com and SSL Domain Name=sd1-https.test.domain.com
    4. add 2nd site domain with Domain Name=sd2-http.test.domain.com
    5. logout from the Admin Console
    6. (changed) delete all cookies on all the domains specified in the Session Cookie Domains (single domain per line) system setting
  • apply the patch

Part 1 - access Admin Console over SSL, when it's not configured

  1. open the Admin Console login screen using test.domain.com and http:// protocol
  2. confirm, that:
    • domain/protocol combo is allowed
    • you're on the Admin Console login screen
  3. open the Admin Console login screen using test.domain.com and https:// protocol
  4. confirm that domain/protocol combo is forbidden

Part 2 - access Admin Console over SSL, when it's configured

  1. open the Admin Console login screen using test.domain.com and http:// protocol
  2. go to the ConfigurationWebsiteAdvanced section
  3. set SSL Domain for Administrative Console (www.domain.com) system setting to the admin1-https.test.domain.com
  4. save changes
  5. confirm that you're stayed on the same page (setting page)
  6. logout
  7. confirm, that:
    • you're stayed on the same domain/protocol
    • you're seeing an Admin Console login screen
    • (deleted) you stayed on the admin1-https.test.domain.com domain and http:// protocol
  8. try changing domain the URL to the admin1-https.test.domain.com, but keeping protocol as-is (the http://)
  9. confirm that domain/protocol combo is forbidden
  10. try changing protocol in the URL to the https://, but keep domain as-is (the admin1-https.test.domain.com)
  11. if the Redirect to HTTP when SSL is not required system setting is enabled, then confirm that you've stayed on the Admin Console login screen using test.domain.com and http:// protocol
  12. if the Redirect to HTTP when SSL is not required system setting is disabled, then confirm that you've stayed on the Admin Console login screen using admin1-https.test.domain.com and https:// protocol

Part 3 - changing Admin Console SSL domain

NOTE: Disable the Redirect to HTTP when SSL is not required system setting while on the test.domain.com domain using http:// protocol to test this.
  1. open the Admin Console login screen using admin1-https.test.domain.com and https:// protocol
  2. go to the ConfigurationWebsiteAdvanced section
  3. set SSL Domain for Administrative Console (www.domain.com) system setting to the admin2-https.test.domain.com
  4. save changes
  5. confirm, that:
    • you're stayed on the same protocol
    • you're seeing an Admin Console login screen
    • (would only work if you've enabled Memcache support) you redirected to the admin2-https.test.domain.com domain and stayed on the https:// protocol
  6. open the Admin Console login screen using admin1-https.test.domain.com and https:// protocol
  7. confirm that domain/protocol combo is forbidden

Part 4 - dual (http & https) site domain access checking for Front-End

  1. open the sd1-https.test.domain.com using https:// protocol
  2. confirm, that:
    • domain/protocol combo is allowed (you'll be redirected to sd1-http.test.domain.com using http:// protocol unless the Redirect to HTTP when SSL is not required system setting is disabled)
    • you're seeing [Site Domain ID: 1] text (replace 1 with ID of 1st created site domain)
  3. open the sd1-https.test.domain.com using http:// protocol
  4. confirm that domain/protocol combo is forbidden
  5. open the sd1-http.test.domain.com using http:// protocol
  6. confirm, that:
    • domain/protocol combo is allowed
    • you're seeing [Site Domain ID: 1] text (replace 1 with ID of 1st created site domain)
  7. open the sd1-http.test.domain.com using https:// protocol
  8. confirm that domain/protocol combo is forbidden

Part 5 - single (http) site domain access checking for Front-End

  1. open the sd2-http.test.domain.com using http:// protocol
  2. confirm, that:
    • domain/protocol combo is allowed
    • you're seeing [Site Domain ID: 2] text (replace 2 with ID of 2nd created site domain)
  3. open the sd2-http.test.domain.com using https:// protocol
  4. confirm that domain/protocol combo is forbidden

Part 6 - single (http) main website access checking for Front-End

  1. open the test.domain.com using http:// protocol
  2. confirm, that:
    • domain/protocol combo is allowed
    • you're seeing [Site Domain ID: 0] text
  3. open the test.domain.com using https:// protocol
  4. confirm that domain/protocol combo is forbidden

Part 7 - dual (http & https) main website access checking

  1. open the Admin Console login screen using test.domain.com and http:// protocol
  2. go to the ConfigurationWebsiteAdvanced section
  3. set SSL Domain (www.domain.com) system setting to the front-https.test.domain.com
  4. save changes
  5. logout
  6. open the test.domain.com using http:// protocol
  7. confirm, that:
    • domain/protocol combo is allowed
    • you're seeing [Site Domain ID: 0] text
  8. open the front-https.test.domain.com using https:// protocol (you'll be redirected to test.domain.com using http:// protocol unless the Redirect to HTTP when SSL is not required system setting is disabled)
  9. confirm, that:
    • domain/protocol combo is allowed
    • you're seeing [Site Domain ID: 0] text
  10. open the front-https.test.domain.com using http:// protocol
  11. confirm that domain/protocol combo is forbidden

Part 8 - front-end SSL domain used in admin

  1. open the Admin Console login screen using test.domain.com and http:// protocol
  2. go to the ConfigurationWebsiteAdvanced section
  3. set SSL Domain (www.domain.com) system setting to the front-https.test.domain.com
  4. clear SSL Domain for Administrative Console (www.domain.com) system setting
  5. save changes
  6. logout
  7. open the Admin Console login screen using front-https.test.domain.com and https:// protocol (you'll be redirected to test.domain.com using http:// protocol unless the Redirect to HTTP when SSL is not required system setting is disabled)
  8. confirm, that:
    • domain/protocol combo is allowed
    • you see the login screen
  9. open the Admin Console login screen using front-https.test.domain.com and http:// protocol
  10. confirm that domain/protocol combo is forbidden

[new] Part 9 - browse mode on http protocol for Admin Console

  1. open the Admin Console login screen using test.domain.com and http:// protocol
  2. login
  3. go to the Website & ContentBrowse Website section
  4. confirm that:
    • editing mode buttons (Browse Mode, Content Mode, etc.) are shown in the top frame
    • the Browse Mode editing mode button is active
  5. click on the Content Mode editing mode button
  6. confirm that you'll see orange buttons for page property/content blocks editing
  7. logout

[new] Part 10 - browse mode on https protocol for Admin Console

  1. open the Admin Console login screen using front-https.test.domain.com and https://
  2. login
  3. go to the Website & ContentBrowse Website section
  4. confirm that:
    • editing mode buttons (Browse Mode, Content Mode, etc.) are shown in the top frame
    • the Browse Mode editing mode button is active
  5. click on the Content Mode editing mode button
  6. confirm that you'll see orange buttons for page property/content blocks editing
  7. logout

Diff Detail

Repository
rINP In-Portal
Branch
/in-portal/branches/5.3.x
Lint
Lint ErrorsExcuse: Unrelated.
SeverityLocationCodeMessage
Errorcore/kernel/processors/main_processor.php:180PHPCS.E.CodingStandard.Commenting.FunctionComment.MissingCodingStandard.Commenting.FunctionComment.Missing
Errorcore/kernel/processors/main_processor.php:180PHPCS.E.Squiz.Scope.MethodScope.MissingSquiz.Scope.MethodScope.Missing
Unit
No Unit Test Coverage
Build Status
Buildable 11068
Build 3768: arc lint + arc unit

Event Timeline

alex created this revision.Mar 5 2025, 10:29 AM
alex requested review of this revision.Mar 5 2025, 10:29 AM
alex edited the test plan for this revision. (Show Details)Mar 5 2025, 10:31 AM
alex edited the test plan for this revision. (Show Details)
erik requested changes to this revision.Mar 6 2025, 6:27 AM

All tested, there is list of possible differences from test plan expectations.

Part 2.7 confirm you stayed on the admin1-https.test.domain.com domain and http:// protocol - NO, STAYED ON same domain/protocol test.domain.com
Part 2.11 confirm that you see the login screen YES, BUT after immediate auto redirect (code 302) to the base domain/protocol test.domain.com
Part 3.1 open the Admin Console login screen using admin1-https.test.domain.com and https:// protocol - IMPOSSIBLE due auto-redirect (code 302) to the base domain/protocol test.domain.com
Part 3.3
confirm, that:
you're stayed on the same protocol - YES, but it is base domain/protocol test.domain.com
you're seeing an Admin Console login screen - NO, I see adm.console configuration section
(would only work if you've enabled Memcache support) you redirected to the admin2-https.test.domain.com domain and stayed on the https:// protocol - NO, it is base domain/protocol test.domain.com (Memcache support enabled)
Part 4.1 - open the sd1-https.test.domain.com using https:// protocol - WARNING - happens auto-redirect to
sd1-http.test.domain.com
Part 7.9 - IMPOSSIBLE due auto-redirect to the base domain/protocol test.domain.com
Part 8.8 - YES, but there happened auto-redirect to base domain/protocol test.domain.com

This revision now requires changes to proceed.Mar 6 2025, 6:27 AM
alex edited the test plan for this revision. (Show Details)Mar 10 2025, 5:34 AM
In D511#10419, @erik wrote:

All tested, there is list of possible differences from test plan expectations.

Part 2.7 confirm you stayed on the admin1-https.test.domain.com domain and http:// protocol - NO, STAYED ON same domain/protocol test.domain.com

This was the copy/paste error in the test plan. Updated test plan.

Part 2.11 confirm that you see the login screen YES, BUT after immediate auto redirect (code 302) to the base domain/protocol test.domain.com

This happens because the Redirect to HTTP when SSL is not required system setting is enabled. Either behavior is acceptable. Updated test plan.

Part 3.1 open the Admin Console login screen using admin1-https.test.domain.com and https:// protocol - IMPOSSIBLE due auto-redirect (code 302) to the base domain/protocol test.domain.com
Part 3.3
confirm, that:
you're stayed on the same protocol - YES, but it is base domain/protocol test.domain.com
you're seeing an Admin Console login screen - NO, I see adm.console configuration section
(would only work if you've enabled Memcache support) you redirected to the admin2-https.test.domain.com domain and stayed on the https:// protocol - NO, it is base domain/protocol test.domain.com (Memcache support enabled)
Part 4.1 - open the sd1-https.test.domain.com using https:// protocol - WARNING - happens auto-redirect to sd1-http.test.domain.com
Part 7.9 - IMPOSSIBLE due auto-redirect to the base domain/protocol test.domain.com
Part 8.8 - YES, but there happened auto-redirect to base domain/protocol test.domain.com

This happens because the Redirect to HTTP when SSL is not required system setting is enabled. Updated test plan.

alex requested review of this revision.Mar 10 2025, 5:36 AM

Updated test plan. Please retest.

erik accepted this revision.Mar 10 2025, 6:38 AM
This revision is now accepted and ready to land.Mar 10 2025, 6:38 AM
alex planned changes to this revision.Mar 12 2025, 5:42 AM

Discovered a bug where Front-End can’t be opened in a Browse Mode if SSL is being used and Front-End and Admin Console are using different SSL domains.

alex updated this revision to Diff 1321.Mar 12 2025, 5:43 AM

Restored Browse Mode support when Front-End and Admin Console are using different SSL domains.

This revision is now accepted and ready to land.Mar 12 2025, 5:43 AM
alex updated this revision to Diff 1322.Mar 12 2025, 5:55 AM

Excluded "site_domain_eh.php" with no changes from the Differential Revision.

alex requested review of this revision.Mar 12 2025, 6:01 AM
alex edited the test plan for this revision. (Show Details)
erik requested changes to this revision.Mar 12 2025, 7:48 AM

Part 3.2 go to the Configuration → Website → Advanced section - FAILED, can't. login, redirects to login screen. Logged in only after all current site cookies deleted before login.
Part 7.9 confirm, that domain/protocol combo is allowed - NO The "https://front-https.test.domain.com" protocol/domain combo is not allowed.
Part 10.2 login - FAILED, can't. login, redirects to login screen. Logged in only after all current site cookies deleted before login.

This revision now requires changes to proceed.Mar 12 2025, 7:48 AM
alex added a comment.EditedMar 13 2025, 6:58 AM
In D511#10453, @erik wrote:

Part 3.2 go to the Configuration → Website → Advanced section - FAILED, can't. login, redirects to login screen. Logged in only after all current site cookies deleted before login.

I've updated test plan to include cookie removal on all used domains (not the current only).

Part 7.9 confirm, that domain/protocol combo is allowed - NO The "https://front-https.test.domain.com" protocol/domain combo is not allowed.
Part 10.2 login - FAILED, can't. login, redirects to login screen. Logged in only after all current site cookies deleted before login.

I'm unable to reproduce this locally.

That might be happening because the adm_sid/adm_sid_live cookies aren't removed after logout in In-Portal 5.3.x. This bug is fixed in the D514. I've updated the test plan to include applying a patch from that differential revision as well.

alex edited the test plan for this revision. (Show Details)Mar 13 2025, 6:58 AM
alex requested review of this revision.Mar 13 2025, 7:03 AM
alex added a parent revision: D514: INP-1822 - Use modern cookie encryption library.Mar 13 2025, 7:27 AM
alex edited the test plan for this revision. (Show Details)
erik accepted this revision.Mar 13 2025, 12:59 PM
This revision is now accepted and ready to land.Mar 13 2025, 12:59 PM

Revision Contents
Changeset List

DiffIDBaseDescriptionCreatedLintUnit
BaseBase
Diff 1131916824Mar 5 2025, 10:29 AM
Diff 2132116824Restored `Browse Mode` support when Front-End and Admin Console are using…Mar 12 2025, 5:43 AM
Diff 3132216824Excluded "site_domain_eh.php" with no changes from the Differential Revision.Mar 12 2025, 5:55 AM

Diff 1322

View Options

core/admin_templates/login.tpl

Loading...
View Options

core/kernel/application.php

Loading...
View Options

core/kernel/processors/main_processor.php

Loading...
View Options

core/units/configuration/configuration_event_handler.php

Loading...
In-Portal CMS · In-Portal Community Pages · In-Portal Issue Tracker · In-Portal Repository Browser · Quality Assurance · In-Portal CI Server