View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005905 | OXID eShop (all versions) | 2. ----- eShop backend (admin) ----- | public | 2014-10-03 13:08 | 2024-01-17 13:55 |
| Reporter | Mitmacher | Assigned To | |||
| Priority | urgent | Severity | crash | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.9.0 / 5.2.0 | ||||
| Target Version | 4.8.9 / 5.1.9 | Fixed in Version | 4.9.2 / 5.2.2 | ||
| Summary | 0005905: Missing checks for SSL, mallshop and language-hosts | ||||
| Description | Recently "processUrl()" was changed according to https://bugs.oxid-esales.com/view.php?id=5809. But this only works if the shop is running on a single distinct domain. If you are using some different domains in addition like SSL-Proxies in config vars sSSLShopURL or sAdminSSLURL, than all internal links will lack of parameters force_sid + token. So you cannot login anymore and the shop gets unusable at all. | ||||
| Steps To Reproduce | 1. setup demo shop about a provider which offers SSL proxies (profihost, 1&1, ?) 2. set $this->sAdminSSLURL to a common used SSL proxy like: https://ssl.secure-online-shopping.de/shopname/admin 3. try to login (endless loop) | ||||
| Additional Information | The problem maybe "function isCurrentShopHost($sUrl)" inside oxutilsurl.php which checks if the current URL exists in array _aHosts. But since OXID 4.9 this array is always empty and as an alternative the URL is only checked against sShopURL. A solution might be to re-migrate the code from OXID 4.8 to 4.9, especially both functions _getHosts() and _addHost(). I have created a small hotfix-module to handle this issue, see: http://forum.oxid-esales.com/showthread.php?t=25001 It is quite strange that this code exists in OXID 4.8, because it seems to be correct but was never used inside the whole framework. Now that it is getting usefull and important, it has been deleted for some reason. | ||||
| Tags | HTTPS | ||||
| Attached Files | |||||
| Theme | All | ||||
| Browser | All | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
| related to | 0005809 | resolved | aurimas.gladutis | Session ID Disclosure |
| related to | 0006065 | resolved | florian.auer | Method excepts a String as first argument, but gets an array. |
|
|
Hi, Sorry we were unable to reproduce this issue, after setting up similar environment like you explained in the bug entry description. Please check your apache and SSL configuration and make sure they are correctly configured. |
|
|
reproduced on 4.9.0 CE |
|
|
Thanks for reopening! I also want to mention, that this bug was recently ported back to older OXID versions 4.7.14 + 4.8.8 in a similar way. So I'm afraid they also have to be fixed again to solve this issue. |
|
|
Thank's for Wendnet for the pull request: https://github.com/OXID-eSales/oxideshop_ce/pull/176 |
|
|
fixed in 5.2.2 |
