[SMF all] SMF should not be using the hostname in links outside of email

[Vekseid]

This is normally just an annoyance, but recently with the move to nginx it became a dealbreaker - nginx 6.32 at least does not have a clean way of setting the HTTPS header that I can tell.

Because SMF for some unknown reason decides it should prepend each link with http(s)://hostname, it doesn't handle that scenario well. In fact, it doesn't handle a lot of scenarios very well - right now, it forces fully qualified links, so when someone posts

Code Select Expand


[url=/community/index.php?action=post;board=137.0]...


It's forced to

Code Select Expand


[url=http://www.simplemachines.org/community/index.php?action=post;board=137.0]...


Which means anyone browsing the site via ssl gets forced out of it if they click on such a link, or vise-versa if the link was generated by an ssl user.

It also makes moving a pain.

Half the sequence around line 1500 in Load.php is completely unnecessary. SMF should only concern itself with the hostname when sending out e-mails or otherwise communicating its address externally - that's it.

[Arantor]

Because SMF for some unknown reason decides it should prepend each link with http(s)://hostname, it doesn't handle that scenario well. In fact, it doesn't handle a lot of scenarios very well - right now, it forces fully qualified links, so when someone posts

I think it's done in the url tag for security reasons to prevent posting of malicious stuff. Not sure off the top of my head what iurl does though.

I'm also not sure you'll convince them to change it any time soon as in their view it isn't a bug.

[Vekseid]

If "SMF does not gracefully handle ssl under nginx" is not a bug, or 'users being knocked between ssl and not' isn't.

And haphazard attempts at security aren't.

[Arantor]

I'm not saying I disagree with you. It seems to me as a bug.

However, I'm covering off why it is the way it is right now. I'll see about adding a report for this shortly though.

[Something like that]

The only problem becomes when you turn something like www.example.com into a link -- but the detection of that is different, so I agree this is a bug.

This also shows up when hosting the forum from multiple hostnames (which I did attempt at one point in the past).

[karlbenson]

For security reasons smf doesn't allow partial links.

If we're in https I believe it should be forcing https instead of http though.

[Vekseid]

For security reasons smf doesn't allow partial links.

I'm still curious as to what sort of security reason. Whatever it is probably has a superior solution than 'give end users all sorts of headaches'.

If we're in https I believe it should be forcing https instead of http though.

Currently, nginx as of 6.32 does not and can not pass the HTTPS header, which Load.php relies upon to check in order to set this, so I'm forced to use raw port values. I'll be testing 7.64 soon.

It's inelegant, because members will bounce between https and http when moving through links in signatures, posts, etc.

[Something like that]

Have you tried using fastcgi_pass_header?

http://wiki.nginx.org/NginxHttpFcgiModule#fastcgi_pass_header

[Vekseid]

Yep. It breaks php for some reason.