Topic: http/https in trusted urls

Hello

I request to patch confirm_referrer function to check http/https protocols, not only www.domain.tld/domain.tld

for example:

function confirm_referrer($script)
{
        global $pun_config, $lang_common;
 
        $base_url = str_replace('www.', '', $pun_config['o_base_url']);
        $referer = str_replace('www.', '', (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''));
 
        $base_url = str_replace('https://', 'http://', $base_url);
        $referer = str_replace('https://', 'http://', $referer);
 
        if (!preg_match('#^'.preg_quote($base_url.'/'.$script, '#').'#i', $referer))
                message($lang_common['Bad referrer']);
}

Re: http/https in trusted urls

In what scenario do you run into this problem?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: http/https in trusted urls

My site can be accessed with both protocols. And I do not want to restrict users use only http or https...

Re: http/https in trusted urls

Yes, but the only people affected by the referrer check are moderators and admins.

"Programming is like sex: one mistake and you have to support it for the rest of your life."