Topic: Regular expressions in confirm_refererer ??

Hello guys,

I've done an URL-rewriting modification on my BB which makes topics have url like http://[mytld]/##-Forum-Name/t###-thread-name.html

Since then, I can neither lock, or move threads because of the referer confirmation.

function confirm_referrer($script)
{
    global $pun_config, $lang_common;

    if (!preg_match('#^'.preg_quote(str_replace('www.', '', $pun_config['o_base_url']).'/'.$script, '#').'#i', str_replace('www.', '', (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''))))
        message($lang_common['Bad referrer']);
}

I'm quite bad with regex and I have a quite hard time figuring out how to do this one...

Anyone can help?

Pier-Luc

Re: Regular expressions in confirm_refererer ??

Unless you figure out how to solve this yourself, you'll have to wait for PunBB 1.3 in which the referrer check has been obsoleted.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Regular expressions in confirm_refererer ??

Hmm...  Okay.

I was wondering if this function was a real add-up in security, since the rights (moderator, admin, post-owner) are verified at each operation.

Is there any situation where this can really be exploited, or can I just keep the function disabled without much trouble?

Re: Regular expressions in confirm_refererer ??

It protects against CSRF attacks. It is important.

Re: Regular expressions in confirm_refererer ??

Oh... true that.

*Opens Google roll*

Re: Regular expressions in confirm_refererer ??

Or take it straight from the horses mouth big_smile

http://blog.punbb.org/2007/09/18/preven … f-attacks/

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Regular expressions in confirm_refererer ??

Rickard wrote:

Or take it straight from the horses mouth big_smile

http://blog.punbb.org/2007/09/18/preven … f-attacks/

I guess I can't just code my own implementations of 1.3's functionalities tongue.

I got it fixed anyway.

Thanks!

Pier-Luc