[Vtigercrm-developers] vtiger 6.1 referrer check fails
Hamono, Chris (DPC)
Chris.Hamono at sa.gov.au
Fri Dec 19 03:22:27 GMT 2014
Vtiger 6.1 contains the following code
protected function validateReferer() {
// Referer check if present - to over come
if (isset($_SERVER['HTTP_REFERER'])) {
global $site_URL;
if ((stripos($_SERVER['HTTP_REFERER'], $site_URL) !== 0) && ($this->get('module') != 'Install')) {
throw new Exception('Illegal request');
}
}
return true;
}
This code does not take into account that the site may be in a folder other than root or linked from another domain!
In my case I have a folder at root level that has a link to the vtiger install. Clicking that link causes the above referrer test to fail
my link is... /vtigercrm/index.php
Therefore the referrer is... http://domain.moc
i.e. http://domain.moc != http://domain.moc/vtigercrm
The test would succeed (in my case) if you changed it to...
if ((stripos($site_URL, $_SERVER['HTTP_REFERER']) !== 0)
But would still fail when linked from another domain.
Why is this test even there? It should be perfectly fine to have a link on another completely different domain link to the index page of the vtiger application.
Chris
P.S.
Referer is spelt incorrectly the original author of the HTTP spec miss spelt it and it stuck it should be referrer!
P.P.S.
I seem to spend more time working around vt bugs then doing actual work it is becoming increasingly frustrating.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20141219/0b480c29/attachment.html>
More information about the vtigercrm-developers
mailing list