There's a problem with the way we push external remediation pages in mod_rewrite config in apache. Since we don't order the statements from the tightest to the broadest then one could face an issue with that.
For example in our integration tests (addons/integration-test) we have:
[2010004]
desc=Remediation external (domain) without auto_enable
priority=8
actions=log,trap
url=http://www.inverse.ca/ [^]
disable=N
trigger=
auto_enable=N
max_enable=0
[2010005]
desc=Remediation external (path) with auto_enable
priority=8
actions=log,trap
url=https://www.inverse.ca/SOGo/ [^]
disable=N
trigger=
auto_enable=Y
max_enable=0
This will be genarated as:
# Rewrite rules generated for violation 2010004 external's URL
RewriteCond %{HTTP_HOST} www.inverse.ca
RewriteCond %{REQUEST_URI} ^/
RewriteRule ^(.*)$ http://www.inverse.ca/$1 [^] [P]
# Rewrite rules generated for violation 2010005 external's URL
RewriteCond %{HTTP_HOST} www.inverse.ca
RewriteCond %{REQUEST_URI} ^/SOGo/
RewriteRule ^(.*)$ https://www.inverse.ca/$1 [^] [P]
With the above config someone with a 2010005 violation will never hit www.inverse.ca with HTTPS because the first rewrite statement will catch it (the broadest inverse.ca one). |