UMC web-session not secure due to mixed content


#1

Dear reader,

We noticed that our website for UMC (Univention Management Console) wasn’t “secure”, due to mixed content being loaded from demo.univention.com/ (see attachment "
UMC_HTTP_demo_background_01.PNG").

Downloading a file at all is alright-ish (although I would like to know why such a very often used file is not put locally, tracking-bitmap kind of thought?), but making the HTTPS fail due to that is troublesome.

We solved by editing the file

/usr/share/univention-management-console-frontend/js/dijit/themes/umc/umc.css

changing line 10692 from http to https:

background: url("https://demo.univention.de/univention-management-console/js_$20162001042724$/dijit/themes/umc/images/background-tile.png") repeat, #5a5a5a;

After a reload, the page fully loads as HTTPS. See attachment “UMC_HTTP_demo_background_02.PNG”

Can this please be adjusted in the package? :slight_smile:

Kind regards,

Luuk





#2

Thanks for your feedback. Indeed this seems to break the security context of a https website. There is nothing against it to always load that content via a secure connection so I opened an issue to fix it in a future erratum.

You can easily change that specific line by replacing the http → https.

…or use sed to do this for you:

root@ucs:/usr/share/univention-management-console-frontend/js/dijit/themes/umc# mv umc.css umc.css.orig; sed 's|url("http://|url("https://|g' <umc.css.orig >umc.css


#3

For future reference, was this the right forum to post in? Or should it have been in the feeds and enhancements board?

Also, for the bravehearts:

sed -i

edits files in place, no need for redirects :slight_smile:

Cheers,

Jimmy


#4

Hi,

you could send such issues also at feedback@univention.de or open an issue by yourself at: http://forge.univention.org/bugzilla/index.cgi but the forums are very fine with it too.

Kind Regards,
Jens