From 4161987bc38a59c80d694b7061af88b774a8914a Mon Sep 17 00:00:00 2001
From: =?utf8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Thu, 8 Dec 2016 16:53:28 +0100
Subject: [PATCH] fix: generate correct urls to static resources

Change-Id: Ibd337a102b6362fa601fc38aed68031677d3ad5d
---
 src/org/cacert/gigi/Gigi.java                     | 14 ++++++++------
 src/org/cacert/gigi/api/FindAgent.java            |  2 +-
 src/org/cacert/gigi/output/ClientCSRGenerate.java |  2 +-
 src/org/cacert/gigi/pages/LoginPage.java          |  2 +-
 src/org/cacert/gigi/util/ServerConstants.java     |  2 +-
 tests/org/cacert/gigi/TestCrossDomainAccess.java  |  2 +-
 6 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java
index 2f4c27dd..c7a60794 100644
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -127,7 +127,7 @@ public final class Gigi extends HttpServlet {
                     return ac == null;
                 }
             });
-            getMenu("SomeCA.org").addItem(new SimpleMenuItem("https://" + ServerConstants.getSecureHostNamePort() + "/login", "Certificate Login") {
+            getMenu("SomeCA.org").addItem(new SimpleMenuItem("https://" + ServerConstants.getSecureHostNamePortSecure() + "/login", "Certificate Login") {
 
                 @Override
                 public boolean isPermitted(AuthorizationContext ac) {
@@ -317,6 +317,8 @@ public final class Gigi extends HttpServlet {
 
     private static String staticTemplateVar = "//" + ServerConstants.getStaticHostNamePort();
 
+    private static String staticTemplateVarSecure = "//" + ServerConstants.getStaticHostNamePortSecure();
+
     @Override
     protected void service(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException, IOException {
         if ("/error".equals(req.getPathInfo()) || "/denied".equals(req.getPathInfo())) {
@@ -341,7 +343,7 @@ public final class Gigi extends HttpServlet {
         if (originHeader != null //
                 && !(originHeader.matches("^" + Pattern.quote("https://" + ServerConstants.getWwwHostNamePortSecure()) + "(/.*|)") || //
                         originHeader.matches("^" + Pattern.quote("http://" + ServerConstants.getWwwHostNamePort()) + "(/.*|)") || //
-                        originHeader.matches("^" + Pattern.quote("https://" + ServerConstants.getSecureHostNamePort()) + "(/.*|)"))) {
+                        originHeader.matches("^" + Pattern.quote("https://" + ServerConstants.getSecureHostNamePortSecure()) + "(/.*|)"))) {
             resp.setContentType("text/html; charset=utf-8");
             resp.getWriter().println("<html><head><title>Alert</title></head><body>No cross domain access allowed.<br/><b>If you don't know why you're seeing this you may have been fished! Please change your password immediately!</b></body></html>");
             return;
@@ -419,7 +421,7 @@ public final class Gigi extends HttpServlet {
             vars.put(Menu.AUTH_VALUE, currentAuthContext);
             vars.put("menu", rootMenu);
             vars.put("title", lang.getTranslation(p.getTitle()));
-            vars.put("static", staticTemplateVar);
+            vars.put("static", isSecure ? staticTemplateVarSecure : staticTemplateVar);
             vars.put("year", Calendar.getInstance().get(Calendar.YEAR));
             vars.put("content", content);
             if (currentAuthContext != null) {
@@ -437,7 +439,7 @@ public final class Gigi extends HttpServlet {
     }
 
     public static void addXSSHeaders(HttpServletResponse hsr, boolean doHttps) {
-        hsr.addHeader("Access-Control-Allow-Origin", "https://" + ServerConstants.getWwwHostNamePortSecure() + " https://" + ServerConstants.getSecureHostNamePort());
+        hsr.addHeader("Access-Control-Allow-Origin", "https://" + ServerConstants.getWwwHostNamePortSecure() + " https://" + ServerConstants.getSecureHostNamePortSecure());
         hsr.addHeader("Access-Control-Max-Age", "60");
         if (doHttps) {
             hsr.addHeader("Content-Security-Policy", httpsCSP);
@@ -460,7 +462,7 @@ public final class Gigi extends HttpServlet {
         csp.append(";media-src 'none'; object-src 'none'");
         csp.append(";script-src https://" + ServerConstants.getStaticHostNamePortSecure());
         csp.append(";style-src https://" + ServerConstants.getStaticHostNamePortSecure());
-        csp.append(";form-action https://" + ServerConstants.getSecureHostNamePort() + " https://" + ServerConstants.getWwwHostNamePortSecure());
+        csp.append(";form-action https://" + ServerConstants.getSecureHostNamePortSecure() + " https://" + ServerConstants.getWwwHostNamePortSecure());
         // csp.append(";report-url https://api.cacert.org/security/csp/report");
         return csp.toString();
     }
@@ -473,7 +475,7 @@ public final class Gigi extends HttpServlet {
         csp.append(";media-src 'none'; object-src 'none'");
         csp.append(";script-src http://" + ServerConstants.getStaticHostNamePort());
         csp.append(";style-src http://" + ServerConstants.getStaticHostNamePort());
-        csp.append(";form-action https://" + ServerConstants.getSecureHostNamePort() + " https://" + ServerConstants.getWwwHostNamePort());
+        csp.append(";form-action https://" + ServerConstants.getSecureHostNamePortSecure() + " https://" + ServerConstants.getWwwHostNamePort());
         // csp.append(";report-url http://api.cacert.org/security/csp/report");
         return csp.toString();
     }
diff --git a/src/org/cacert/gigi/api/FindAgent.java b/src/org/cacert/gigi/api/FindAgent.java
index a78cd659..ba58a7a3 100644
--- a/src/org/cacert/gigi/api/FindAgent.java
+++ b/src/org/cacert/gigi/api/FindAgent.java
@@ -65,7 +65,7 @@ public class FindAgent extends APIPoint {
             if ( !us.isInGroup(Group.LOCATE_AGENT)) {
                 resp.setStatus(501);
                 resp.setContentType("text/plain; charset=UTF-8");
-                resp.getWriter().println("https://" + ServerConstants.getSecureHostNamePort() + FindAgentAccess.PATH);
+                resp.getWriter().println("https://" + ServerConstants.getSecureHostNamePortSecure() + FindAgentAccess.PATH);
                 return;
             }
             resp.setContentType("text/plain; charset=UTF-8");
diff --git a/src/org/cacert/gigi/output/ClientCSRGenerate.java b/src/org/cacert/gigi/output/ClientCSRGenerate.java
index 49be4259..3d4418e1 100644
--- a/src/org/cacert/gigi/output/ClientCSRGenerate.java
+++ b/src/org/cacert/gigi/output/ClientCSRGenerate.java
@@ -18,7 +18,7 @@ public class ClientCSRGenerate {
         HashMap<String, Object> vars = new HashMap<String, Object>();
         vars.put("minsize", "2048");
         vars.put("normalhost", "https://" + ServerConstants.getWwwHostNamePortSecure());
-        vars.put("securehost", "https://" + ServerConstants.getSecureHostNamePort());
+        vars.put("securehost", "https://" + ServerConstants.getSecureHostNamePortSecure());
         vars.put("statichost", "https://" + ServerConstants.getStaticHostNamePortSecure());
         try {
             normal.output(resp.getWriter(), Page.getLanguage(req), vars);
diff --git a/src/org/cacert/gigi/pages/LoginPage.java b/src/org/cacert/gigi/pages/LoginPage.java
index e4aa2e74..29b33aa4 100644
--- a/src/org/cacert/gigi/pages/LoginPage.java
+++ b/src/org/cacert/gigi/pages/LoginPage.java
@@ -62,7 +62,7 @@ public class LoginPage extends Page {
 
     @Override
     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
-        if (req.getHeader("Host").equals(ServerConstants.getSecureHostNamePort())) {
+        if (req.getHeader("Host").equals(ServerConstants.getSecureHostNamePortSecure())) {
             resp.getWriter().println(getLanguage(req).getTranslation("Authentication with certificate failed. Try another certificate or use a password."));
         } else {
             new LoginForm(req).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
diff --git a/src/org/cacert/gigi/util/ServerConstants.java b/src/org/cacert/gigi/util/ServerConstants.java
index 3bf32635..cab50b4e 100644
--- a/src/org/cacert/gigi/util/ServerConstants.java
+++ b/src/org/cacert/gigi/util/ServerConstants.java
@@ -50,7 +50,7 @@ public class ServerConstants {
         return apiHostName;
     }
 
-    public static String getSecureHostNamePort() {
+    public static String getSecureHostNamePortSecure() {
         return secureHostName + securePort;
     }
 
diff --git a/tests/org/cacert/gigi/TestCrossDomainAccess.java b/tests/org/cacert/gigi/TestCrossDomainAccess.java
index e2a60070..ee3584fd 100644
--- a/tests/org/cacert/gigi/TestCrossDomainAccess.java
+++ b/tests/org/cacert/gigi/TestCrossDomainAccess.java
@@ -53,7 +53,7 @@ public class TestCrossDomainAccess extends ManagedTest {
         c.setLoginEnabled(true);
         await(c.issue(null, "2y", u));
 
-        URLConnection con = new URL("https://" + ServerConstants.getSecureHostNamePort()).openConnection();
+        URLConnection con = new URL("https://" + ServerConstants.getSecureHostNamePortSecure()).openConnection();
         authenticateClientCert(pk, c.cert(), (HttpURLConnection) con);
         con.setRequestProperty("Origin", "https://" + ServerConstants.getWwwHostNamePortSecure());
         String contains = IOUtils.readURL(con);
-- 
2.39.2