I want every page secure. So I checked "Make secure every page except the listed pages." and left the listed pages blank. Logically, that should do it. But it doesn't. So to achieve what I want, I had to check "Make secure only the listed pages." and leave a * in the listed below. It works that way but obviously there is something wrong in the module. I haven't looked at the source yet to determine the issue.

CommentFileSizeAuthor
#13 all_pages-566632-13.patch3.09 KBDeciphered
#8 securepages-empty-page-list.patch3 KBDavid_Rothstein
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

mstef’s picture

mstef CreditAttribution: mstef commented

My guess at first glance..

function securepages_match($path) {
  /**
   * Check to see if the page matches the current settings
   */
  $secure = variable_get('securepages_secure', 1);
  $pages = variable_get('securepages_pages', "node/add*\nnode/*/edit\nuser/*\nadmin*");
  $ignore = variable_get('securepages_ignore', "*/autocomplete/*\n*/ajax/*");

  if ($ignore) {
    $regexp = '/^('. preg_replace(array('/(\r\n?|\n)/', '/\\\\\*/', '/(^|\|)\\\\<front\\\\>($|\|)/'), array('|', '.*', '\1'. preg_quote(variable_get('site_frontpage', 'node'), '/') .'\2'), preg_quote($ignore, '/')) .')$/';
    if (preg_match($regexp, $path)) {
      return securepages_is_secure() ? 1 : 0;
    }
  }
/******** 
 *** THIS IF STATEMENT BELOW ***
********/
  if ($pages) {
    $regexp = '/^('. preg_replace(array('/(\r\n?|\n)/', '/\\\\\*/', '/(^|\|)\\\\<front\\\\>($|\|)/'), array('|', '.*', '\1'. preg_quote(variable_get('site_frontpage', 'node'), '/') .'\2'), preg_quote($pages, '/')) .')$/';
    $result = preg_match($regexp, $path);
    if (function_exists('drupal_get_path_alias')) {
      $path_alias = drupal_get_path_alias($path);
      $result |= preg_match($regexp, $path_alias);
    }
    return !($secure xor $result) ? 1 : 0;
  }
  else {
    return;
  }
}
fjroman’s picture

fjroman CreditAttribution: fjroman commented

I just want some pages secure, but I found out that my Securepages only works when there is just one page on the box. I tried with \n, same line, different line... but nothing... Any clue?

jamesfk’s picture

jamesfk CreditAttribution: jamesfk commented

Getting the same issue, fixed it by putting in a non existing page into the show all apart from box.

mstef’s picture

mstef CreditAttribution: mstef commented

Yeah I did the same thing too but felt it still should be address in the module.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

Same problem here. subscribing.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Assigned: Unassigned »

Couldn't reproduce this problem.

Please reopen if your still experiencing problems and i'll see if i can help.

Best,
Paul Booker

pkiff’s picture

pkiff CreditAttribution: pkiff commented

I ran into the same issue as the original poster. I have a site that I want to be delivered entirely, and exclusively, through encrypted (secure) pages, including the front page. I am unable to use a regular server redirect or other server control to force this via the server, so secure_pages is the next best solution.

I used the following base URL settings (with my actual domain, of course):
Non-secure Base URL: http://subdomain.example.com
Secure Base URL: https://subdomain.example.com

Then selected "Make secure every page except the listed pages." And listed nothing in the remaining boxes.

But pages were not redirected or forced to https versions. I tried just inserting <front> into the list of exceptions, but that also did not fix the issue. As with the OP, I solved the issue by checking "Make secure only the listed pages." and leave a * in the list of pages. Then it works as designed.

Notes on my config:
- IIS 7
- PHP 5.2x
- firewall in use
- also using the following modules that could potentially be affecting things:

Path redirect:
http://drupal.org/project/path_redirect

PathAuto:
http://drupal.org/project/pathauto

CustomError:
http://drupal.org/project/customerror

I'm happy with the solution offered by the OP as it stands now, and am not in a position to investigate the code myself, but wanted to re-open this as a bug report in case other newcomers run into the same issue.

Phil.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Version: 6.x-1.8 » 7.x-1.x-dev
Status: Active » Needs review
FileSize
securepages-empty-page-list.patch3 KB

I ran across this bug today. Here's a patch for Drupal 7 (with tests).

Since the buggy part of the code is the only part of the securepages_match() function that ever returns NULL (and as far as I can tell, it never should), this patch removes that from the allowed list of return values as well.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Assigned: » Unassigned
grendzy’s picture

grendzy CreditAttribution: grendzy commented
Assigned: Unassigned » grendzy

Wow! With Tests! ♥♥♥

I thought there was a reason for the tri-state return value (0,1,null). I'll check it out.

sobi3ch’s picture

sobi3ch CreditAttribution: sobi3ch commented

I had version 6.x-1.9 and the problem is similar. I've selected "Make secure only the listed pages." and I put

user
user/*
<< empty line

(..of course I wasn't aware of empty line)

then each front page request was redirecting me to https:// scheme. Is there any solution (patch?) for it?

pkiff’s picture

pkiff CreditAttribution: pkiff commented

I don't think this is the same issue as others in this thread. Certainly, for us, using 6.x-1.9, these kinds of settings work as designed. The issue in this thread relates to cases where you have a "Null" value in your list to exclude/include. I don't follow what your reference to the empty/blank line is intended to mean: did you try removing the blank line?

Regardless, I would recommend starting a new issue to address your specific case.

Phil.

Deciphered’s picture

Deciphered CreditAttribution: Deciphered commented
Issue summary: View changes
FileSize
all_pages-566632-13.patch3.09 KB

Re-rolled patch from #8

nerdcore’s picture

nerdcore CreditAttribution: nerdcore commented
Status: Needs review » Needs work

Patch in #13 did not fix this issue for me.

Using "Make secure every page except the listed pages" with an empty "Pages" textarea still results in pages loaded via HTTP.

The workaround of "Make secure only the listed pages" with "Pages" set to "*" does function as expected.

Another workaround which seems functional is to specify SOMETHING in the "Pages" list with the "Make secure every page except the listed pages" option. I used "/non-existent-page" and every page comes up HTTPS.

Would be nice to be able to leave that field blank and have HTTPS forced everywhere though, as that is the intuitive solution.

nerdcore’s picture

nerdcore CreditAttribution: nerdcore commented

I've just seen another issue with this option. I'm not convinced it works at all.

I've used "Make secure every page except the listed pages" and specified one real page which I do not require HTTPS for, "/careers". This page loads with HTTPS every time. This option does not seem to be providing the functionality it suggests, with or without the patch in #13.

nerdcore’s picture

nerdcore CreditAttribution: nerdcore commented
Status: Needs work » Reviewed & tested by the community

*sigh*

Patch in #13 works fine for me it turns out. When I applied it once locally it worked. When I applied it on my testing server nothing happened, so all my testing was without the patch.

However, my comment in #15 still stands - the excepted pages which should be allowed to load via HTTP still force HTTPS.

Patch in #13 is RTBC'ed. Sorry for the confusion.

hussainweb’s picture

hussainweb
Primary language English
CreditAttribution: hussainweb at Axelerant commented
Priority: Normal » Major

I would say this is critical as it is confusing and hampers essential operation if not configured. I am just settling for major now.

aaron.ferris’s picture

aaron.ferris CreditAttribution: aaron.ferris commented

Another +1 for the patch in #13