Changeset 782 for branches/1.1dev/lib


Ignore:
Timestamp:
Mar 3, 2023 4:39:34 AM (14 months ago)
Author:
anonymous
Message:

Backporting a few things from codebase 2.x

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/1.1dev/lib/App.inc.php

    r758 r782  
    308308        return false;
    309309    }
    310     if ($url == absoluteMe()) {
     310    if ($url == absoluteMe() || $url == getenv('REQUEST_URI')) {
    311311        // The URL we are directing to is not the current page.
    312         logMsg(sprintf('Boomerang URL not valid, same as absoluteMe: %s', $url), LOG_DEBUG, __FILE__, __LINE__);
     312        logMsg(sprintf('Boomerang URL not valid, same as absoluteMe or REQUEST_URI: %s', $url), LOG_DEBUG, __FILE__, __LINE__);
    313313        return false;
    314314    }
     
    343343        if (isset($id) && isset($_SESSION['_boomerang']['url'][$id])) {
    344344            $url = $_SESSION['_boomerang']['url'][$id];
     345            logMsg(sprintf('dieBoomerangURL(%s) found: %s', $id, $url), LOG_DEBUG, __FILE__, __LINE__);
    345346        } else {
    346347            $url = end($_SESSION['_boomerang']['url']);
     348            logMsg(sprintf('dieBoomerangURL(%s) using: %s', $id, $url), LOG_DEBUG, __FILE__, __LINE__);
    347349        }
    348350    } else if (isset($default_url)) {
    349351        $url = $default_url;
    350     } else if (!refererIsMe()) {
     352    } else if (!refererIsMe() && '' != getenv('HTTP_REFERER')) {
    351353        // Ensure that the redirecting page is not also the referrer.
    352354        $url = getenv('HTTP_REFERER');
     355        logMsg(sprintf('dieBoomerangURL(%s) using referrer: %s', $id, $url), LOG_DEBUG, __FILE__, __LINE__);
    353356    } else {
    354357        $url = '';
     358        logMsg(sprintf('dieBoomerangURL(%s) using empty: %s', $id, $url), LOG_DEBUG, __FILE__, __LINE__);
    355359    }
    356360
     
    862866function absoluteMe()
    863867{
    864     $protocol = ('on' == getenv('HTTPS')) ? 'https://' : 'http://';
    865     return $protocol . getenv('HTTP_HOST') . getenv('REQUEST_URI');
     868    $safe_http_host = preg_replace('/[^a-z\d.:-]/', '', getenv('HTTP_HOST'));
     869    return sprintf('%s://%s%s', (getenv('HTTPS') ? 'https' : 'http'), $safe_http_host, getenv('REQUEST_URI'));
    866870}
    867871
     
    876880function refererIsMe($exclude_query=false)
    877881{
     882    $current_url = absoluteMe();
     883    $referrer_url = getenv('HTTP_REFERER');
     884
     885    // If one of the hostnames is an IP address, compare only the path of both.
     886    if (preg_match('/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/', parse_url($current_url, PHP_URL_HOST)) || preg_match('/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/', parse_url($referrer_url, PHP_URL_HOST))) {
     887        $current_url = preg_replace('@^https?://[^/]+@u', '', $current_url);
     888        $referrer_url = preg_replace('@^https?://[^/]+@u', '', $referrer_url);
     889    }
     890
    878891    if ($exclude_query) {
    879         return (stripQuery(absoluteMe()) == stripQuery(getenv('HTTP_REFERER')));
     892        return (stripQuery($current_url) == stripQuery($referrer_url));
    880893    } else {
    881         return (absoluteMe() == getenv('HTTP_REFERER'));
    882     }
    883 }
    884 
    885 ?>
     894        logMsg(sprintf('refererIsMe comparison: %s == %s', $current_url, $referrer_url), LOG_DEBUG, __FILE__, __LINE__);
     895        return ($current_url == $referrer_url);
     896    }
     897}
Note: See TracChangeset for help on using the changeset viewer.