[GH-ISSUE #116] http link in registration email #110

New issue

Closed

opened 2026-02-26 09:35:44 +03:00 by kerem · 4 comments

kerem commented

2026-02-26 09:35:44 +03:00

Owner

Originally created by @ThomasWaldmann on GitHub (Dec 18, 2013).
Original GitHub issue: https://github.com/nsupdate-info/nsupdate.info/issues/116

if you register a new account on a https site, the link in the email should also be https, but currently it is a http link.

on the nsupdate.info site, this is no problem as it rewrites http to https anyway.
the token is a one time token, so security is also no problem.

maybe this is a bug in some package we use, not in our software.

Originally created by @ThomasWaldmann on GitHub (Dec 18, 2013). Original GitHub issue: https://github.com/nsupdate-info/nsupdate.info/issues/116 if you register a new account on a https site, the link in the email should also be https, but currently it is a http link. on the nsupdate.info site, this is no problem as it rewrites http to https anyway. the token is a one time token, so security is also no problem. maybe this is a bug in some package we use, not in our software.

kerem

2026-02-26 09:35:44 +03:00

closed this issue
added the
bug
label

kerem commented

2026-02-26 09:35:45 +03:00

Author

Owner

@ThomasWaldmann commented on GitHub (Dec 22, 2013):

strange: the password reset email, also created by "django-registration" contains a https link.

@ThomasWaldmann commented on GitHub (Dec 22, 2013): strange: the password reset email, also created by "django-registration" contains a https link.

kerem commented

2026-02-26 09:35:45 +03:00

Author

Owner

@ThomasWaldmann commented on GitHub (Dec 22, 2013):

looks like a bug in django-registration.

the http-link gets constructed in accounts/templates/registration/activation_email.* (by django-registration).
the template does NOT get an indication for the correct protocol.

the correct link gets constructed in password_reset_email.html, a bit differently (by django), the template is given a "protocol" parameter that is either "http" or "https".

@ThomasWaldmann commented on GitHub (Dec 22, 2013): looks like a bug in django-registration. the http-link gets constructed in accounts/templates/registration/activation_email.\* (by django-registration). the template does NOT get an indication for the correct protocol. the correct link gets constructed in password_reset_email.html, a bit differently (by django), the template is given a "protocol" parameter that is either "http" or "https".

kerem commented

2026-02-26 09:35:45 +03:00

Author

Owner

@ThomasWaldmann commented on GitHub (Jan 26, 2014):

note: with the code as of 2014-01-26, this is still broken

@ThomasWaldmann commented on GitHub (Jan 26, 2014): note: with the code as of 2014-01-26, this is still broken

kerem commented

2026-02-26 09:35:45 +03:00

Author

Owner

@ThomasWaldmann commented on GitHub (Oct 27, 2014):

for django 1.7, I switched away from django-registration to django-registration-redux. It now correctly supports using the scheme in the respective templates. \o/

fixed by 39eb5e992e

@ThomasWaldmann commented on GitHub (Oct 27, 2014): for django 1.7, I switched away from django-registration to django-registration-redux. It now correctly supports using the scheme in the respective templates. \o/ fixed by 39eb5e992e0beb85c9c1643bf4145f99268d561a