Updating the confirm_referrer function to ignore the URL scheme, port…

…, etc. This allows http and https URLs to pass referer checks without problems.
fluxbb · Oct 22, 2010 · 49c72d1 · 49c72d1
1 parent 196ecb3
commit 49c72d1
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 7 deletions.
diff --git a/admin_options.php b/admin_options.php
@@ -22,9 +22,7 @@
 
 if (isset($_POST['form_sent']))
 {
-	// Custom referrer check (so we can output a custom error message)
-	if (!preg_match('#^'.preg_quote(str_replace('www.', '', $pun_config['o_base_url']).'/admin_options.php', '#').'#i', str_replace('www.', '', (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''))))
-		message($lang_admin_options['Bad HTTP Referer message']);
+	confirm_referrer('admin_options.php', $lang_admin_options['Bad HTTP Referer message']);
 
 	$form = array(
 		'board_title'			=> pun_trim($_POST['form']['board_title']),
@@ -98,7 +96,7 @@
 	$languages = forum_list_langs();
 	if (!in_array($form['default_lang'], $languages))
 		message($lang_common['Bad request']);
-	
+
 	$styles = forum_list_styles();
 	if (!in_array($form['default_style'], $styles))
 		message($lang_common['Bad request']);

diff --git a/include/functions.php b/include/functions.php
@@ -1014,12 +1014,27 @@ function file_get_contents($filename, $use_include_path = 0)
 //
 // Make sure that HTTP_REFERER matches $pun_config['o_base_url']/$script
 //
-function confirm_referrer($script)
+function confirm_referrer($script, $error_msg = false)
 {
 	global $pun_config, $lang_common;
 
-	if (!preg_match('#^'.preg_quote(str_replace('www.', '', $pun_config['o_base_url']).'/'.$script, '#').'#i', str_replace('www.', '', (isset($_SERVER['HTTP_REFERER']) ? urldecode($_SERVER['HTTP_REFERER']) : ''))))
-		message($lang_common['Bad referrer']);
+	// There is no referrer
+	if (empty($_SERVER['HTTP_REFERER']))
+		message($error_msg ? $error_msg : $lang_common['Bad referrer']);
+
+	$referrer = parse_url(strtolower($_SERVER['HTTP_REFERER']));
+	// Remove www subdomain if it exists
+	if (strpos($referrer['host'], 'www.') === 0)
+		$referrer['host'] = substr($referrer['host'], 4);
+
+	$valid = parse_url(strtolower($pun_config['o_base_url'].'/'.$script));
+	// Remove www subdomain if it exists
+	if (strpos($valid['host'], 'www.') === 0)
+		$valid['host'] = substr($valid['host'], 4);
+
+	// Check the host and path match. Ignore the scheme, port, etc.
+	if ($referrer['host'] != $valid['host'] || $referrer['path'] != $valid['path'])
+		message($error_msg ? $error_msg : $lang_common['Bad referrer']);
 }