Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2019-01-05 10:07:04

Otomatic
FluxBB Donor
From: Paris - France
Registered: 2010-01-26
Posts: 562
Website

1.5.11 - Rebuilt index -> Bad HTTP REFERER

Hi,

FluxBB 1.5.11
- Administration
- Maintenance
- Rebuilt index

Error message :
Bad HTTP_REFERER. You were referred to this page from an unauthorized source. If the problem persists please make sure that 'Base URL' is correctly set in Admin/Options and that you are visiting the forum by navigating to that URL. More information regarding the referrer check can be found in the FluxBB documentation.

This is done by the line 29 of admin_maintenance.php and the call to :

confirm_referrer('admin_maintenance.php');

It seems that $_SERVER['HTTP_REFERER'] is empty in the case of Rebuilt index.

There is no problem for other Administration actions like Options or Permissions.


Ce n'est pas parce que l'erreur se propage qu'elle devient vérité. Ghandi
An error does not become truth by reason of multiplied propagation. Ghandi

Offline

#2 2019-01-05 19:29:54

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,590
Website

Re: 1.5.11 - Rebuilt index -> Bad HTTP REFERER

Hmm, strange, I cannot reproduce. Can you try again with another browser and in incognito mode (a.k.a. without extensions)?


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#3 2019-01-06 08:52:08

Otomatic
FluxBB Donor
From: Paris - France
Registered: 2010-01-26
Posts: 562
Website

Re: 1.5.11 - Rebuilt index -> Bad HTTP REFERER

Hi,

You are right.
All my tests are done locally, with my local Wampserver server with which I can change the Apache, PHP and MySQL versions "on the fly".
I have five browsers for my tests:
- Firefox with various extensions (Default browser)
- Opera raw installation.
- Chromium
- Internet Explorer
- Edge under Windows 10
There is no problem with Opera, but only with Firefox.

I will investigate further. wink


Ce n'est pas parce que l'erreur se propage qu'elle devient vérité. Ghandi
An error does not become truth by reason of multiplied propagation. Ghandi

Offline

#4 2019-01-06 16:25:29

Otomatic
FluxBB Donor
From: Paris - France
Registered: 2010-01-26
Posts: 562
Website

Re: 1.5.11 - Rebuilt index -> Bad HTTP REFERER

Hi,

With Firefox (With or without extensions and even in safe mode) the first loop is correctly executed since for this first loop the HTTP_REFERER exists:
[HTTP_REFERER] => http://aviatechno/forum/admin_maintenance.php
But, from the second iteration onwards, $_SERVER['HTTP_REFERER'] no longer exists.

PHP Documentation said :
'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

I modified the calls to rebuilt index by rebuilding the HTTP_REFERER from reliable information of the predefined variables PHP $_SERVER:
Replace

if ($action == 'rebuild')
{
    confirm_referrer('admin_maintenance.php');

by

if ($action == 'rebuild')
{
   $_SERVER['HTTP_REFERER'] = $_SERVER['REQUEST_SCHEME'].'://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
    confirm_referrer('admin_maintenance.php');

And there, there is no more problem, the index reconstruction works without any errors with Firefox, Opera, Chromium and Internet Explorer.


Ce n'est pas parce que l'erreur se propage qu'elle devient vérité. Ghandi
An error does not become truth by reason of multiplied propagation. Ghandi

Offline

#5 2019-01-06 18:36:37

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,590
Website

Re: 1.5.11 - Rebuilt index -> Bad HTTP REFERER

We will get rid of the referrer check soon (TM).

Your solution is not a good idea from a security perspective, because it essentially avoids the referrer check completely. But since you only added this for this particular page, and we still have the CSRF token, it should be okay as a good stopgap solution.

Thanks for investigating!


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#6 2019-01-07 08:31:23

Otomatic
FluxBB Donor
From: Paris - France
Registered: 2010-01-26
Posts: 562
Website

Re: 1.5.11 - Rebuilt index -> Bad HTTP REFERER

Hi,

They were just tests.
I will modify this and only in the case of index rebuilt, not for the first iteration, but only for the following iterations and only if HTTP_REFERER is empty.


Ce n'est pas parce que l'erreur se propage qu'elle devient vérité. Ghandi
An error does not become truth by reason of multiplied propagation. Ghandi

Offline

Board footer

Powered by FluxBB