Regular expressions in confirm_refererer ??

KarboN · 2007-12-24 00:49

KarboN
Junior Member
Offline

Registered: 2007-12-23
Posts: 6

Topic: Regular expressions in confirm_refererer ??

Hello guys,

I've done an URL-rewriting modification on my BB which makes topics have url like http://[mytld]/##-Forum-Name/t###-thread-name.html

Since then, I can neither lock, or move threads because of the referer confirmation.

function confirm_referrer($script)
{
    global $pun_config, $lang_common;

    if (!preg_match('#^'.preg_quote(str_replace('www.', '', $pun_config['o_base_url']).'/'.$script, '#').'#i', str_replace('www.', '', (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''))))
        message($lang_common['Bad referrer']);
}

I'm quite bad with regex and I have a quite hard time figuring out how to do this one...

Anyone can help?

Pier-Luc

Rickard · 2007-12-27 10:00

Rickard
PunBB Developer
Offline

From: 127.0.0.1
Registered: 2001-11-02
Posts: 9,167

Re: Regular expressions in confirm_refererer ??

Unless you figure out how to solve this yourself, you'll have to wait for PunBB 1.3 in which the referrer check has been obsoleted.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

KarboN · 2007-12-27 14:20

KarboN
Junior Member
Offline

Registered: 2007-12-23
Posts: 6

Re: Regular expressions in confirm_refererer ??

Hmm... Okay.

I was wondering if this function was a real add-up in security, since the rights (moderator, admin, post-owner) are verified at each operation.

Is there any situation where this can really be exploited, or can I just keep the function disabled without much trouble?

Smartys · 2007-12-27 14:29

Smartys
Former PunBB Developer
Offline

Registered: 2004-04-30
Posts: 7,844

Re: Regular expressions in confirm_refererer ??

It protects against CSRF attacks. It is important.

KarboN · 2007-12-27 14:46

KarboN
Junior Member
Offline

Registered: 2007-12-23
Posts: 6

Re: Regular expressions in confirm_refererer ??

Oh... true that.

*Opens Google *

Rickard · 2007-12-27 15:29

Rickard
PunBB Developer
Offline

From: 127.0.0.1
Registered: 2001-11-02
Posts: 9,167

Re: Regular expressions in confirm_refererer ??

Or take it straight from the horses mouth

http://blog.punbb.org/2007/09/18/preven … f-attacks/

"Programming is like sex: one mistake and you have to support it for the rest of your life."

KarboN · 2007-12-28 03:34

KarboN
Junior Member
Offline

Registered: 2007-12-23
Posts: 6

Re: Regular expressions in confirm_refererer ??

Rickard wrote:

Or take it straight from the horses mouth
http://blog.punbb.org/2007/09/18/preven … f-attacks/

I guess I can't just code my own implementations of 1.3's functionalities .

I got it fixed anyway.

Thanks!

Pier-Luc

Regular expressions in confirm_refererer ??

Posts: 7

1 Topic by KarboN 2007-12-24 00:49

Topic: Regular expressions in confirm_refererer ??

2 Reply by Rickard 2007-12-27 10:00

Re: Regular expressions in confirm_refererer ??

3 Reply by KarboN 2007-12-27 14:20

Re: Regular expressions in confirm_refererer ??

4 Reply by Smartys 2007-12-27 14:29

Re: Regular expressions in confirm_refererer ??

5 Reply by KarboN 2007-12-27 14:46

Re: Regular expressions in confirm_refererer ??

6 Reply by Rickard 2007-12-27 15:29

Re: Regular expressions in confirm_refererer ??

7 Reply by KarboN 2007-12-28 03:34

Re: Regular expressions in confirm_refererer ??

Posts: 7