1
tedsmith
HTTP_REFERRER Problems again
  • 2005/7/31 18:05

  • tedsmith

  • Home away from home

  • Posts: 1151

  • Since: 2004/6/2 1


Bloody HTTP_REFERRER problems again!!!

I had this fixed a while ago, but when I updated to 2.0.13 a while back it's got changed and my users are getting the following error :

XOOPS_URL is not included in your REFERER

I've found several posts on it from months back but they all relate to versions 2.0.10 and earlier like this one.

Does anyone know how to disable the HTTP_REFERRER in version 2.0.13?

Thanks

Ted

2
tedsmith
Re: HTTP_REFERRER Problems again
  • 2005/8/1 17:21

  • tedsmith

  • Home away from home

  • Posts: 1151

  • Since: 2004/6/2 1


*bump*

3
pegasus00321
Re: HTTP_REFERRER Problems again

Have you looked at this
Pegasus00321


I would appricate it if you click this link
TuFat.com PHP Scripts and etc

4
tedsmith
Re: HTTP_REFERRER Problems again
  • 2005/8/2 10:59

  • tedsmith

  • Home away from home

  • Posts: 1151

  • Since: 2004/6/2 1


Yes I already have. It refers (in Miths last post) to a file (xoopssecuirty.php) that is not where it said it should be. I assumed therefore that since 2.0.10 it may have changed further (I am using 2.0.13) which is why I made the first posting to try to clairfy what the latest (excluding version 2.2) way of disabling it is.

5
Dave_L
Re: HTTP_REFERRER Problems again
  • 2005/8/2 11:39

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Do you want to completely disable the HTTP_REFERER check, or only disable it for cases in which HTTP_REFERER is absent?

If you want to completely disable the check in XOOPS 2.2, in the function checkReferer in class/xoopssecurity.php, replace both occurrences of "return false" with "return true".

If you only want to disable the check for cases in which HTTP_REFERER is blank, then replace the first occurrence of "return false" with "return true". This would probably be adequate for your purpose, and is safer than completely disabling the check.

For reference purposes, here's the current code, with some comments added:

if ($ref == '') {
   return 
false; [color=ff0000]// HTTP_REFERER absent[/color]
}
$pref parse_url($ref);
if ( 
$pref['host'] != $_SERVER['HTTP_HOST'] ) {
   return 
false; [color=ff0000]// HTTP_REFERER wrong[/color]
}


I'm not recommending that you do this, but only answering your question.

6
tedsmith
Re: HTTP_REFERRER Problems again
  • 2005/8/2 20:05

  • tedsmith

  • Home away from home

  • Posts: 1151

  • Since: 2004/6/2 1


Thanks Dave_L - helpful as always.

My problems are these :

1) I am not yet using 2.2 (I like to leave updates for a while before updating).

2) I am using version 2.0.13.

3) I have done searches in my site files for the following code strings and no hits are returned :

a) if ($ref == '') {
return false;

b) if ($ref == '') {

c) $ref = xoops_getenv('HTTP_REFERER');

d) xoops_getenv('HTTP_REFERER');

and a few others for which I forget. The only one that returned any hits was xoops_getenv('HTTP_REFERER'); which I found in a file include/comment_delete.php. That was it. No others.

I have done a search for the xoopssecurity.php file but that does not appear to exist in 2.0.13. If I am wrong (and it should be there) can someone please tell me that because maybe I have not fully updated properly?

I have looked at the following posts (many with contributions from me relating to earlier version of Xoops)

1
2
and 3.
(As well as others in the help etc. )

In summary, I cannot find instruction on how to disable the HTTP Referer check on version 2.0.13.

Any more help available?

Thanks

Ted

7
pegasus00321
Re: HTTP_REFERRER Problems again

Are you just asking which file those changes are suppose to be applied to?

If so, its include/functions.php
Pegasus00321


I would appricate it if you click this link
TuFat.com PHP Scripts and etc

8
tedsmith
Re: HTTP_REFERRER Problems again
  • 2005/8/2 20:26

  • tedsmith

  • Home away from home

  • Posts: 1151

  • Since: 2004/6/2 1


OK, so which part of that file? I cannot find any reference to

$pref parse_url($ref);
if ( 
$pref['host'] != $_SERVER['HTTP_HOST'] ) {
   return 
false;


or

if ($ref == '') {
   return 
false;


or

http_referer or anything in that file. Dave_L suggests that in version 2.2 it's all in the illusive xoopssecuirty.php but nothing like the above is in functions.php of 2.0.13?

The closest I have found is this in functions.php, lines 143 - 146. Could that be it?
function xoops_refcheck($docheck=1)
{
    return 
$GLOBALS['xoopsSecurity']->checkReferer($docheck);
}


I'm confused!! Thanks for helping me.

9
Dave_L
Re: HTTP_REFERRER Problems again
  • 2005/8/2 20:26

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Sorry, I got confused by all the versions mentioned in this thread.

In XOOPS 2.0.13, the check is in class/xoopssecurity.php, just like in 2.2. Search for "checkReferer" or "HTTP_REFERER" to locate the code. The code is slightly different, but the information I posted about replacing "return false" with "return true" is still applicable.

10
tedsmith
Re: HTTP_REFERRER Problems again
  • 2005/8/3 17:59

  • tedsmith

  • Home away from home

  • Posts: 1151

  • Since: 2004/6/2 1


I must have done something wrong then because I don't have an xoopssecurity.php file at all?

In the functions.php file, between lines 140-146 is the following :

/**
* Deprecated, use {@link XoopsSecurity} class instead
**/
function xoops_refcheck($docheck=1)
{
    return 
$GLOBALS['xoopsSecurity']->checkReferer($docheck);
}


Should I change it to this :
/**
* Deprecated, use {@link XoopsSecurity} class instead
**/
function xoops_refcheck($docheck=1)
{
    return [
color=CC0000]true;[/color]
}


Would that work as you suggest above? Should I also try to work out why I don't have an xoopssecuirty.php file?

Thanks Dave

Ted

Login

Who's Online

415 user(s) are online (334 user(s) are browsing Support Forums)


Members: 0


Guests: 415


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits