<![CDATA[PunBB Forums — Regular expressions in confirm_refererer ??]]> https://punbb.informer.com/forums/topic/17833/regular-expressions-in-confirmrefererer/ Fri, 28 Dec 2007 03:34:49 +0000 PunBB <![CDATA[Re: Regular expressions in confirm_refererer ??]]> https://punbb.informer.com/forums/post/105935/#p105935 Rickard wrote:

Or take it straight from the horses mouth big_smile

http://blog.punbb.org/2007/09/18/preven … f-attacks/

I guess I can't just code my own implementations of 1.3's functionalities tongue.

I got it fixed anyway.

Thanks!

Pier-Luc

]]> Fri, 28 Dec 2007 03:34:49 +0000 https://punbb.informer.com/forums/post/105935/#p105935 <![CDATA[Re: Regular expressions in confirm_refererer ??]]> https://punbb.informer.com/forums/post/105926/#p105926 Or take it straight from the horses mouth big_smile

http://blog.punbb.org/2007/09/18/preven … f-attacks/

]]> Thu, 27 Dec 2007 15:29:25 +0000 https://punbb.informer.com/forums/post/105926/#p105926 <![CDATA[Re: Regular expressions in confirm_refererer ??]]> https://punbb.informer.com/forums/post/105924/#p105924 Oh... true that.

*Opens Google roll*

]]> Thu, 27 Dec 2007 14:46:13 +0000 https://punbb.informer.com/forums/post/105924/#p105924 <![CDATA[Re: Regular expressions in confirm_refererer ??]]> https://punbb.informer.com/forums/post/105922/#p105922 It protects against CSRF attacks. It is important.

]]> Thu, 27 Dec 2007 14:29:57 +0000 https://punbb.informer.com/forums/post/105922/#p105922 <![CDATA[Re: Regular expressions in confirm_refererer ??]]> https://punbb.informer.com/forums/post/105921/#p105921 Hmm...  Okay.

I was wondering if this function was a real add-up in security, since the rights (moderator, admin, post-owner) are verified at each operation.

Is there any situation where this can really be exploited, or can I just keep the function disabled without much trouble?

]]> Thu, 27 Dec 2007 14:20:12 +0000 https://punbb.informer.com/forums/post/105921/#p105921 <![CDATA[Re: Regular expressions in confirm_refererer ??]]> https://punbb.informer.com/forums/post/105911/#p105911 Unless you figure out how to solve this yourself, you'll have to wait for PunBB 1.3 in which the referrer check has been obsoleted.

]]> Thu, 27 Dec 2007 10:00:02 +0000 https://punbb.informer.com/forums/post/105911/#p105911 <![CDATA[Regular expressions in confirm_refererer ??]]> https://punbb.informer.com/forums/post/105751/#p105751 Hello guys,

I've done an URL-rewriting modification on my BB which makes topics have url like http://[mytld]/##-Forum-Name/t###-thread-name.html

Since then, I can neither lock, or move threads because of the referer confirmation.

function confirm_referrer($script)
{
    global $pun_config, $lang_common;

    if (!preg_match('#^'.preg_quote(str_replace('www.', '', $pun_config['o_base_url']).'/'.$script, '#').'#i', str_replace('www.', '', (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''))))
        message($lang_common['Bad referrer']);
}

I'm quite bad with regex and I have a quite hard time figuring out how to do this one...

Anyone can help?

Pier-Luc

]]> Mon, 24 Dec 2007 00:49:50 +0000 https://punbb.informer.com/forums/post/105751/#p105751