Fork me on GitHub
Subscribe 6

Ticket #821 (fixed bug)

Referrer check breaks with UTF-8 URLs

  • Created: 2013-01-17 01:10:25
  • Reported by: Franz
  • Assigned to: adaur
  • Milestone: 1.5.4
  • Component: security
  • Priority: normal

Let's assume a forum's base URL is configured with, say, Hebrew characters.

When accessing that forum with a browser, the request URL will be converted to contain Punycode. When comparing those two in confirm_referrer(), we will obviously not be successful.

What we could do is convert the base URL to Punycode in that function. That might be a little difficult, though, as we cannot use the idn_to_ascii() function in PHP before 5.3.0. Suggestions?

History

quy 2013-01-21 19:28:36

Maybe this, but for PHP 5.0+:
http://phlymail.com/en/downloads/idna-convert.html

Hopefully you can get some ideas from the following PunBB code in profile.php:

		// IDNA url handling
		if (defined('FORUM_SUPPORT_PCRE_UNICODE') && defined('FORUM_ENABLE_IDNA'))
		{
			// Load the IDNA class for international url handling
			require_once FORUM_ROOT.'include/idna/idna_convert.class.php';

			$idn = new idna_convert();
			$idn->set_parameter('encoding', 'utf8');
			$idn->set_parameter('strict', false);

			if (preg_match('!^(https?|ftp|news){1}'.preg_quote('://xn--', '!').'!', $url_source))
			{
				$user['url'] = $idn->decode($url_source);
			}
			else
			{
				$url_source = $idn->encode($url_source);
			}
		}

Studio384 2013-01-21 20:23:31

I don't think it's a huge problem if the code only works on PHP5, since it is used by 99,684 procent of the market.

Franz 2013-02-22 11:11:32

  • Milestone changed from 1.5.3 to 1.5.4.

Visman 2013-03-19 16:50:00

Long ago it is time to refuse authenticity check through $_SERVER['HTTP_REFERER']

adaur 2013-03-19 17:51:11

Is your modification using a hash hard to implement Visman?

Franz 2013-03-19 18:43:50

Visman: you are right, of course. Do you think it would be good to implement the "proper" method here? The changes would be quite big...

Visman 2013-03-20 02:16:47

>Is your modification using a hash hard to implement Visman?
To implement modification which I use not difficult (here @artoodetoo offered it long ago).

to Franz: Look in my modification of FluxBB, there isn't a lot of changes.

Visman 2013-03-20 02:27:15

More beautiful method:
1. o_timeout_visit >= 3600 (that data were available within an hour)
2. In the table online to add field csrf_field (Has accidental value. It is filled in case of creation of new line in the table)
3. In each form we add the hidden field csrf_token which value is created of csrf_field (both ip of the user, and file name, etc.).

quy 2013-04-16 22:23:24

Is this related to ticket #309?

Franz 2013-04-17 07:31:21

It would be solved by using tokens instead, but we don't want to make changes that big in v1.5.

quy 2013-04-17 20:32:15

Will one of these options (while not ideal) work as a temporary solution until FluxBB v2.0?

1. Advise board owner to use an online converter to find out the Punycode and manually set the base URL with it.
2. Check if PHP 5.0+ and use the IDNA Converter class to automatically do the conversion and suggest option 1 if PHP < 5.0.
3. Check if PHP 5.3.0+ and use idn_to_ascii() to automatically do the conversion and suggest option 1 if PHP < 5.3.0.

Franz 2013-04-17 21:36:33

To keep it simple, I'd probably favor the third option. Since the group of affected users is not very big, this should do. Option 1 as fallback is also good.

Hosts should really switch to PHP 5.3 if they haven't yet...

Franz 2013-08-08 22:04:00

Just so I don't forget, this topic brought it all up...

Visman 2013-08-09 10:36:58

You invent the bicycle

Franz 2013-08-10 19:27:26

  • Milestone changed from 1.5.4 to 1.5.5.

adaur 2013-08-11 13:30:37

https://github.com/fluxbb/fluxbb/pull/86

We could apply the fix to 1.5.4 version.

Comment edited 1 times (Diff)

adaur 2013-08-12 15:31:31

  • Milestone changed from 1.5.5 to 1.5.4.

Ready to be pushed.

adaur 2013-08-12 20:04:06

Commit 4d234a6 to fluxbb master

#821: Referrer check breaks with UTF-8 URLs

adaur 2013-08-12 20:04:50

Commit 4cd6584 to fluxbb master

#821: Referrer check breaks with UTF-8 URLs

Franz 2013-08-12 22:15:58

  • Owner changed from Franz to adaur.

Thank you very much, I merged it.

Franz 2013-08-12 22:16:23

Commit 8670612 to fluxbb master

Merge pull request #87 from adaur/master

#821: Referrer check breaks with UTF-8 URLs

Franz 2013-08-13 22:04:17

  • Status changed from open to fixed.