-
-
Notifications
You must be signed in to change notification settings - Fork 777
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP Referer #565
Comments
In Mozilla Firefox #564 (comment):
|
We should also add a note about Docker: exposed port must be the same as the one on which Apache listens in the Docker container. For instance, my Apache (in a container so) listens on port 80 but exposed port was 8080. So there was a redirection and I wasn't able to change configuration. |
I do not know if it was your case, but HTTPS Referer is typically not sent between different { domain, port } so you end up with an empty Referer, which could be a sign of an attack. |
It's just I asked a page on port 8080 but final request was on port 80 because the Docker redirection. |
La conversation pour une meilleure méthode basée sur un token continue dans #570 |
Je copie un commentaire de @marienfressinaud #554 (comment)
|
Just to let you know : since the last update I'm getting the HTTP_REFERER issue with a plain Android 4.4.3 (Galaxy S4) + default Chrome browser. To access my FR, I use http://ip:port/path ... port being an exotic one. I've been forced to deactivate the safe authentication, otherwise I cannot use it from my smartphone :( A+ |
@GLLM Is it at the form login that it fails? |
Yes, when trying to log in .. I never managed to get past the login screen. |
Any chance that you could find out what value is sent in HTTP_REFERER in your case, for instance using a script with phpinfo (see below) with a link from another page? <?php
phpinfo(); |
If I create a standalone php page with the above code, open it on my smartphone, would it be ok ? |
Just did the test : |
Could you please try to make a link from another page, like: <a href="phpinfo.php">Link</a> |
Sorry @Alkarex I realized my mistake and just did the test : result above ;) |
@GLLM : And what is the value of HTTP_HOST? $_SERVER['HTTP_REFERER'];
$_SERVER['HTTP_HOST']; |
$_SERVER['HTTP_REFERER'] == http://my.own.home.ip:port/ |
Ok, I see the problem. I will prepare a patch. |
U rock ! |
Now tests also for the scheme and port, which must be identical to the ones in the referer. #565 (comment) #554
Hello, I manually edited the files ... works fine :) Many thanks, |
Hello, |
If needed, we may re-introduce the check for scheme with proper support for proxy #565 (comment)
@alemairebe I have removed the check for scheme in the referer, while waiting for a better solution. Furthermore, I am not sure of the added security value of checking the scheme. ba7d63e |
ok, thanks for reacting so quickly |
@marienfressinaud We may have to introduce a constant to override the guessing of the public URL based on |
|
The text was updated successfully, but these errors were encountered: