You are not logged in. Please login or register.
PunBB Forums → PunBB 1.2 troubleshooting → HTTP_REFERER base url question
Afaik function confirm_referer checks current referer against configured base URL. The problem is that http://www.domain.com count as different than http://domain.com resulting in http referer errors.
Any idea about a regex mod in confirm_referer, that will only match domain without http:// or www ?
That's a good idea. I'll put it on the todo list.
IMHO, that can be hazardous, if one use services like dyndns.org or similar people provide, where you can register
http://willie.dynds.org/ and have your forum there, and some other person has registered http://apu.dyndns.org/ ... then ... it would be possible to trick it if it only has the 'dyndns.org' as base url ...
but if it's only to strip out www or http:// ... then there probably aren't any troubles with it ...
Stripping out only the http://www part, is quite secure IMHO
I was thinking about stripping out ONLY the www part.
www part is enough to handle any case. As a quickfix did that using str_replace() and works just fine.
I also had to modify some quick validation in code, that don't call confirm_referer.
Where should I look in the code to make these changes?
Open up include/functions.php and look for
function confirm_referer($script)
{
global $pun_config, $lang_common;
if (!preg_match('#^'.preg_quote($pun_config['o_base_url'].'/'.$script, '#').'#i', $_SERVER['HTTP_REFERER']))
message($lang_common['Bad referer']);
}and replace it with
function confirm_referer($script)
{
global $pun_config, $lang_common;
if (!preg_match('#^'.preg_quote(str_replace('www.', '', $pun_config['o_base_url']).'/'.$script, '#').'#i', str_replace('www.', '', $_SERVER['HTTP_REFERER'])))
message($lang_common['Bad referer']);
}And what about multi base_urls?
i.e. I have THREE adresses of one forum, from a local (before CISCO), in intranet (after CISCO) and thru NAT mapping (external IP). Of course addresses are differ.
Maybe "add"/"remove" base_urls from a list will be more elegant and flexible solution?
Dexus: Wouldn't just adding the correct URLs to your hosts file remove the need for multiple base URLs?
Rickard, because machine has more then one ethernet interface, there is not only one correct urls.
Each url is correct for people.
some people from one interface, from intranet and using internal IP.
other - from internet. and they have to use external IP.
If I choose only external IP, people from intranet.. They had to use external IP. Some of them are just unable to go internet.. others - will pay much more.
To work this out I had to add other cascaded hardcoded check for other IP.
And by the way. You may use it through "localhost" address.
I'm sorry, but I'm either a bit slow or I'm misunderstanding you. So what if there are multiple IP addresses? The important thing is that people use the same hostname to reach the forums. forum.domain.com could be setup in DNS to point to e.g. 213.10.55.10. This is the address people use to access the forums from the Internet. For people visiting the forums locally or via the intranet, their hosts file could override this DNS entry pointing it to e.g. 192.160.10.155 or 127.0.0.1.
Also, you are aware of the fact that the referrer check only applies to admins and moderators, right? Only a fraction of the people using the forums should be affected.
Yes, not everyone will notice that.
But anyways, DNS of intranet may use VERY OTHER from external name. Specially when it a sort of dynamic IP or NAT mapping.
If server has two providers, each of them assignes server's name under their domain. In this case, possibility of two addresses for admins/moderators will be very useful.
Hmm, OK. Adding a secondary base URL won't be a lot of trouble, but making it possible to add any number of URLs will require some work. After all, your problem is extremely rare.
explode() will help to use a number of URLs from one string.
i think rickard actually knows how to code in php 
Dexus: Yes, but the problem is that every file (and mod) that relies on the existance of $pun_config['o_base_url'] will have to be updated (I just looked and it's accessed 50 times in the 1.3 source). Either that or keep the main base URL in $pun_config['o_base_url'] and add a second base URL variable that contains a list of more base URLs. See how this becomes a mess?
PunBB Forums → PunBB 1.2 troubleshooting → HTTP_REFERER base url question
Powered by PunBB, supported by Informer Technologies, Inc.