Prefer HTTPS protocol over HTTP when fetching translations [#2907863]

The locale module defines the constant LOCALE_TRANSLATION_DEFAULT_SERVER_PATTERN as the default server pattern for the translations. This constant currently uses the HTTP protocol. Also the settings defined in config/install/locale.settings.yml uses it too.

drupal.org has adopted HTTPS as the default protocol for all its services. When a client request an URI using HTTP protocol, the response redirect the client to the corresponding HTTPS URI.

The use of the on_redirect configuration when using the http_client_factory Drupal service ensures making only one request per translation file verification, using the Location heder as the file URI when receiving the 301 HTTP response status code.

Despite this, the default value should honour the HTTPS protocol used by drupal.org.

This could be accomplished by changing the LOCALE_TRANSLATION_DEFAULT_SERVER_PATTERN constant and the settings in config/install/locale.settings.yml to use the HTTPS protocol.

Comment	File	Size	Author
#10	drupal_locale-prefer_https_over_http-2907863-10.patch	2.18 KB	tucho
#10	8.5.x: PHP 7 & MySQL 5.5 22,577 pass
#10	interdiff-2907863-6-10.txt	657 bytes	tucho
#6	interdiff-2907863-4-6.txt	956 bytes	tucho
#6	drupal_locale-prefer_https_over_http-2907863-6.patch	2.18 KB	tucho
#6	8.4.x: PHP 7 & MySQL 5.5 22,299 pass
#4	interdiff-2907863-2-4.txt	822 bytes	tucho
#4	drupal_locale-prefer_https_over_http-2907863-4.patch	2.16 KB	tucho
#4	8.4.x: PHP 7 & MySQL 5.5 22,292 pass
#2	drupal_locale-prefer_https_over_http-2907863-2.patch	1.36 KB	tucho
#2	8.4.x: PHP 7 & MySQL 5.5 22,172 pass
#13	interdiff-2907863-10-13.txt	788 bytes	tucho
#13	drupal_locale-prefer_https_over_http-2907863-13.patch	2.23 KB	tucho
#13	8.5.x: PHP 7 & MySQL 5.5 22,577 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

10 September 2017 at 22:03

tucho created an issue. See original summary.

Comment #2

tucho

Spanish

Buenos Aires

CreditAttribution: tucho at gcoop Cooperativa de Software Libre commented 10 September 2017 at 22:11

Status:

Active

» Needs review

File	Size
drupal_locale-prefer_https_over_http-2907863-2.patch	1.36 KB
8.4.x: PHP 7 & MySQL 5.5 22,172 pass

I made a patch that updates the LOCALE_TRANSLATION_DEFAULT_SERVER_PATTERN constant and the settings defined in config/install/locale.settings.yml, so now they use HTTPS.

The patch apply on 8.4.x and 8.5.x too.

Comment #3

Sutharsan CreditAttribution: Sutharsan at LimoenGroen commented 10 November 2017 at 20:54

Status:

Needs review

» Needs work

I agree with making this change, is has been applied to Localization Update module too.

Just like we did in l10n_update, lets add an update script to update the configuration from 'http' to 'https' if the config has the default value.
See https://www.drupal.org/node/2907795#comment-12261794

Comment #4

tucho

Spanish

Buenos Aires

CreditAttribution: tucho at gcoop Cooperativa de Software Libre commented 13 November 2017 at 01:31

Status:

Needs work

» Needs review

File	Size
drupal_locale-prefer_https_over_http-2907863-4.patch	2.16 KB
8.4.x: PHP 7 & MySQL 5.5 22,292 pass
interdiff-2907863-2-4.txt	822 bytes

1 file was hidden/shown/deleted

File	Size
drupal_locale-prefer_https_over_http-2907863-2.patch	1.36 KB
8.4.x: PHP 7 & MySQL 5.5 22,172 pass

Hi @sutharsan

I attach a new patch and the interdiff, including the update hook that replace the config value for existing installations.

The patch should apply on 8.5.x branch too.

Comment #5

Sutharsan CreditAttribution: Sutharsan at LimoenGroen commented 13 November 2017 at 08:33

Status:

Needs review

» Needs work

Thanks, for the addition. In general it looks good, just a few nits:

```
+++ b/core/modules/locale/locale.install
@@ -304,3 +304,13 @@ function locale_update_8300() {
+ * Update default variable values to use https.
+ */
```
This sentence is all a developer / dev-ops gets to understand what the update function does. I suggest:
Update default server pattern value to use https.

+++ b/core/modules/locale/locale.install
@@ -304,3 +304,13 @@ function locale_update_8300() {
+    \Drupal::configFactory()->getEditable('locale.settings')->set('translation.default_server_pattern', LOCALE_TRANSLATION_DEFAULT_SERVER_PATTERN)->save();

For readability I propose the more compact:

\Drupal::configFactory()->getEditable('locale.settings')
  ->set('translation.default_server_pattern', LOCALE_TRANSLATION_DEFAULT_SERVER_PATTERN)
  ->save();

Comment #6

tucho

Spanish

Buenos Aires

CreditAttribution: tucho at gcoop Cooperativa de Software Libre commented 13 November 2017 at 13:45

Status:

Needs work

» Needs review

File	Size
drupal_locale-prefer_https_over_http-2907863-6.patch	2.18 KB
8.4.x: PHP 7 & MySQL 5.5 22,299 pass
interdiff-2907863-4-6.txt	956 bytes

2 files were hidden/shown/deleted

File	Size
drupal_locale-prefer_https_over_http-2907863-4.patch	2.16 KB
8.4.x: PHP 7 & MySQL 5.5 22,292 pass
interdiff-2907863-2-4.txt	822 bytes

Here is the patch with the correct code styling. I uploaded an interdiff too.

Comment #7

Sutharsan CreditAttribution: Sutharsan at LimoenGroen commented 15 November 2017 at 07:20

Status:

Needs review

» Reviewed & tested by the community

No more comments, I think this is ready to go. Tested the module and checked the code.

Because the change from http to https has only value when used in the field, I see no reason to add a test to this patch.
Patch currently applies to both 8.4.x and 8.5.x

Comment #8

xjm

she/her

English

CreditAttribution: xjm at Acquia commented 18 November 2017 at 02:27

Excellent issue report! It explains the need for the fix quite clearly.

Usually we don't commit things that require update hooks to the production branch except for serious bugs due to the potential disruption (reference: https://www.drupal.org/core/d8-allowed-changes#disruption). I'll check with another committer for a second opinion on this.

Comment #9

xjm

she/her

English

CreditAttribution: xjm at Acquia commented 19 November 2017 at 22:41

Version:	8.4.x-dev	» 8.5.x-dev
Status:	Reviewed & tested by the community	» Needs work

Alright, chatted about this a bit with @larowlan and since this isn't affecting the actual security of the request nor adding extra load, we agreed to add it to 8.5.x only, which means we should also rename that update hook. Thanks!

Comment #10

tucho

Spanish

Buenos Aires

CreditAttribution: tucho at gcoop Cooperativa de Software Libre commented 20 November 2017 at 18:24

Status:

Needs work

» Needs review

File	Size
drupal_locale-prefer_https_over_http-2907863-10.patch	2.18 KB
8.5.x: PHP 7 & MySQL 5.5 22,577 pass
interdiff-2907863-6-10.txt	657 bytes

2 files were hidden/shown/deleted

File	Size
drupal_locale-prefer_https_over_http-2907863-6.patch	2.18 KB
8.4.x: PHP 7 & MySQL 5.5 22,299 pass
interdiff-2907863-4-6.txt	956 bytes

Hi @xjm

Thank you for your feedback!

I just uploaded the patch with the renamed hook update function, and the trivial interdiff.

Regards!

Comment #11

Sutharsan CreditAttribution: Sutharsan at LimoenGroen commented 21 November 2017 at 10:31

Status:

Needs review

» Reviewed & tested by the community

RTBC = Checked code && Tests passed.

Comment #12

Gábor Hojtsy

he/him

Hungarian

Hungary

CreditAttribution: Gábor Hojtsy at Acquia commented 22 November 2017 at 10:58

Status:

Reviewed & tested by the community

» Needs work

Very good patch, agreed with the issue summary being very concise also. Love to work with issues like this :)

+++ b/core/modules/locale/locale.install
@@ -304,3 +304,15 @@ function locale_update_8300() {
+      ->set('translation.default_server_pattern', LOCALE_TRANSLATION_DEFAULT_SERVER_PATTERN)

As a general rule, we don't rely on outside factors in update functions because then if the constant is changed in a later release, the result of this update function will be different for people running it with that release vs. with an older release.

While this is not very likely, it could still happen. So we should inline the desired new value as well for that reason.

Comment #13

tucho

Spanish

Buenos Aires

CreditAttribution: tucho at gcoop Cooperativa de Software Libre commented 22 November 2017 at 15:06

Status:

Needs work

» Needs review

File	Size
drupal_locale-prefer_https_over_http-2907863-13.patch	2.23 KB
8.5.x: PHP 7 & MySQL 5.5 22,577 pass
interdiff-2907863-10-13.txt	788 bytes

2 files were hidden/shown/deleted

File	Size
drupal_locale-prefer_https_over_http-2907863-10.patch	2.18 KB
8.5.x: PHP 7 & MySQL 5.5 22,577 pass
interdiff-2907863-6-10.txt	657 bytes

Hi @gábor-hojtsy

I agree with your comment.

I attached a new patch that does not use the constant in the update hook.

Also, I attached an interdiff.

Comment #14

Sutharsan CreditAttribution: Sutharsan at LimoenGroen commented 22 November 2017 at 22:12

Status:

Needs review

» Reviewed & tested by the community

Checked the content of the interdiff, checked that it is the same string as is used in the different places in the patch.

Comment #15

22 November 2017 at 22:29

xjm committed 1b8dea0 on 8.5.x

Issue #2907863 by tucho, Sutharsan, Gábor Hojtsy: Prefer HTTPS protocol...

Comment #16

xjm

she/her

English

CreditAttribution: xjm at Acquia commented 22 November 2017 at 22:29

Alright, looks good. Committed and pushed to 8.5.x. Thanks!

Comment #17

xjm

she/her

English

CreditAttribution: xjm at Acquia commented 22 November 2017 at 22:30

Status:

Reviewed & tested by the community

» Fixed

Comment #18

6 December 2017 at 22:34

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Prefer HTTPS protocol over HTTP when fetching translations

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

Comment #13

Comment #14

Comment #15

Comment #16

Comment #17

Comment #18

Child issues

Related issues

Referenced by

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community