#3649 (ok 3.5.3) version check breaks ssl

3.5.2
fixed
nobody
5
2013-06-11
2012-07-22
Noel
No

SSL validation fails with insecure content because of http://www.phpmyadmin.net/home_page/version.js
Can we get an option to disable this checking please, or some other workaround thanks

Discussion

  • Marc Delisle
    Marc Delisle
    2012-07-22

    From Documentation.html:

    $cfg['VersionCheck'] boolean
    Enables check for latest versions using javascript on main phpMyAdmin page.

     
  • Marc Delisle
    Marc Delisle
    2012-07-22

    • status: open --> closed-invalid
     
  • Justin Beasley
    Justin Beasley
    2012-07-25

    I understand that you answered noelb's question, but is there a reason that this check can't happen over SSL so that it works for everyone without throwing mixed mode warnings?

    Loading it over SSL wouldn't generate an error on non-secure installs, but would fix the error on secure installs.

    I think that automated upgrade checking is important from a security standpoint, so instructing people to just turn it off seems like throwing the baby out with the bathwater.

     
  • Justin Beasley
    Justin Beasley
    2012-07-25

    Note: I found an open bug related to this (#3534139) and left a comment there since it's probably more appropriate since this is really a duplicate.

     
  • Marc Delisle
    Marc Delisle
    2012-07-25

    Reopening.

     
  • Marc Delisle
    Marc Delisle
    2012-07-25

    • status: closed-invalid --> open
     
  • Justin Beasley
    Justin Beasley
    2012-07-26

    Thanks Marc. I was thinking about this last night, and came up with an idea for resolving this if the PMA site doesn't have an SSL certificate and if it would be problematic to get one set up for whatever reason.

    A PHP script could be added to the local PMA install, and that file could act as a proxy of the non-secure update check script. That way, if the local install is secure, that file can be loaded securely--but the infrastructure on the phpmyadmin.net side of things wouldn't need to change. If ForceSSL isn't being used, the file would just be proxied locally. This would also allow an easy future way of implimenting some type of caching (only checking once every 24 hours, for example) to reduce the number of requests to the PMA server.

    In order to avoid any dependancies (namely cURL or allow_url_fopen), this would probably need to proxy the file using a pure fsockopen() call--but it might be a viable option if you don't want to have to (or can't) deal with the SSL side of things.

     
  • Marc Delisle
    Marc Delisle
    2012-10-13

    • summary: version check breaks ssl --> (ok 3.5.3) version check breaks ssl
    • status: open --> closed-fixed
     
  • Marc Delisle
    Marc Delisle
    2012-10-13

    Fixed in 3.5.3.

     
  • Michal Čihař
    Michal Čihař
    2013-06-11

    • Status: closed-fixed --> fixed