Error redirecting to potential insecure url

[kaspir]

anyway to refine what I have here? I'm getting the error once in while still.

Code: Select all

function redirect($url, $return = false, $disable_cd_check = false)
{
	global $user, $phpbb_path_helper, $phpbb_dispatcher;
	
	$w3ck = preg_replace('/^[^\.]*\.([^\.]*)\.(.*)$/', '\1.\2',$url); // kaspir added
 
	$w3 = request_var('REMOTE_ADDR','0');
 
	if(stristr($w3ck, $w3)){
		$disable_cd_check = true;
	} //end kaspir

[axew3]

do not know if i've understand the mean above, so maybe my answer will be wrong.
The old code concept, with the preg_replace pattern, try to extract the absolute domain name, like
thetopfew.com in the passed url
so assign to the var $w3 the domain name where phpBB is installed
$w3 = request_var('REMOTE_ADDR','0');
and so check that this value match in some way.

But the pattern can fail, in several ways, and further more, for sure when we are on domains like co.uk.
For this, maybe in certain domains, will fail to disable the check and correctly redirect out of phpBB folder installation.
So for this, the suggested modification, has been changed into the new one on help install:
https://www.axew3.com/w3/2016/02/phpbb- ... subdomain/

To be precise, this is not so secure as the previous: there is no check into passed url, that could be also an external site. But this not represent to me (maybe i'm wrong) a big potential security issue. You can redirect what you want if you like, until the redirect not contain any of my data, but yours.
Could contain sensitive data about server? Do not think, but this consideration is merely based on my experience.

The secure, and secured way, would be that in this piece of code, the extraction of the domain should be done by a function that never fail to extract from passed url the correct domain name to check against. That can be the cookie function that you already know, for example.

p.s for instance, in this online example there is no change on phpBB code about this, because it is not a subdomain or something like axew3.co.uk, where the pattern can fail, causing the error onlogin in phpBB trying to redirect to potential ....

[kaspir]

argh too busy lately, haven't been keeping up.

Thanks so much for response. I am going to use just: https://www.axew3.com/w3/2016/02/phpbb- ... subdomain/

And see what happens from there. The hardest thing is, I can't seem to reproduce it.. so therefor I have less idea of what's going on, ya know?

Honestly, began thinking it might be a cookie issue or perhaps the fact that I change my internet constantly when jumping from hotspot to home.

I'll keep paying attention to this, I am sure this is probably just my problem, no one elses.

[kaspir]

Since last post been using:

Code: Select all

function redirect($url, $return = false, $disable_cd_check = true)

And no more error.