When "Switch back to http pages when there are no matches" is on, going to:
https://<site>/update.php
reverts back to
http://<site>/node
and fails.

It does not help if I add: update, update*, /update*, *update* to the list of pages to secure.

If I do try to go to http//update.php, the update page does appear, but later, when I try to perform a DB update, it wants to go to page https:///update.php?op=selection, so it fails again.

CommentFileSizeAuthor
#8 174839-update.patch449 bytesagentrickard

Comments

charliem’s picture

I am experiencing the same problem. As a work around I deselect "Switch back to http pages when there are no matches".

william haller’s picture

Version: 5.x-1.x-dev » 5.x-1.3

For what it is worth, this is causing problems for other modules in doing the 5.2 to 5.3 upgrade. They hit this module upgrade after doing a mass enable and subsequent modules never get their updates run properly causing operational problems.

charliem’s picture

I've upgraded to 5.3 today and the problem still persist. I've tried to remove the module and install it again but to no avail. I am not sure if the problem is with the module or after the upgrade to 5.2.

william haller’s picture

The module was working fine for us in 5.2. Everything else that we use - taken one at a time - made the 5.2 to 5.3 upgrade OK. The update to the latest Secure Pages is what caused the problems here. We had the switch back if no https page enabled in 5.2 and it was OK. It isn't a real deal breaker for us to lose that because our https mirrors our http so we never should have a page that is in one but not the other, but it could be an issue for some people.

jonli447’s picture

Ok, I fixed this issue, though I did not create a patch, sorry (because I actually modified the patch in other ways as well). Anyhow, this is what I did, and hopefully other's can follow.

First, find the line within function securepages_goto() that is:
header('Location: '. $url);

Modify the if bound above, so that the code is:

  if ($_SERVER['REQUEST_URI'] != '/update.php') {
    header('Location: '. $url);
  }

Then, in function securepages_match(), modify the code within if ($ignore) { such that it reads:

  if ($ignore) {
    $regexp = '/^('. preg_replace(array('/(\r\n?|\n)/', '/\\\\\*/', '/(^|\|)\\\\<front\\\\>($|\|)/'), array('|', '.*', '\1'. preg_quote(variable_get('site_frontpage', 'node'), '/') .'\2'), preg_quote($ignore, '/')) .')$/';
    if ($_SERVER['REQUEST_URI'] == '/update.php') {
       return TRUE;
    }
    elseif (preg_match($regexp, $path)) {
      if ($_SERVER['HTTPS'] == 'on') {
        return TRUE;
      }
      else {
        return FALSE;
      }
    }
  }

Then, add this to your .htaccess file:

  RewriteCond %{SERVER_PORT} ^80$
  RewriteRule ^update.php https://www.rozzli.com/update.php [R=301,L]

Again, sorry that it's not a patch. It's not a perfect fix, but what this effectively does is adds update.php to the ignore list (which cannot be done correctly through the modules administrative options), and allows update.php to be skipped when checking if the home page should be redirected.

If someone has a better method, or would like to put this together in a patch, that would great.

jonli447’s picture

Oh, I have not checked if my modifications will actually break the module if "return to http if match not found" is not selected. Also, it probably won't hurt to leave the update.php rewrite in your .htaccess file if "return to http ..." is not selected, but I have not checked for sure.

gordon’s picture

Status: Active » Closed (won't fix)

Secure Pages doesn't secure pages other than what is servered by index.php

agentrickard’s picture

Version: 5.x-1.3 » 5.x-1.7
Status: Closed (won't fix) » Active
StatusFileSize
new449 bytes

Granted, but it's implementation of hook_form_alter() seems to break update.php by failing to find a match and returning the user to the homepage.

Patch for simply checking we are using the right script.

grendzy’s picture

Status: Active » Closed (won't fix)

The 5.x branch is no longer supported. If this issue is still present in a current version of Secure Pages, please update the issue summary, change the version field, and re-open the issue.