Wedge

And now I understand why it is broken. Your browser appears to not understand how to process HTTP/1.1.

The log shows that the request includes a Host header:
Host: wedge.org/pub/bugs

This is contrary to the specification in section 14.23 where it is only supposed to be the *host*. This trips the test because the Referer begins with http://wedge.org/do/splittopics as it should - and wedge.org/pub/bugs/ is not a substring of wedge.org/do/splittopics.

I don't yet know *why* this occurs but it does at least explain the problem.

Pretty URLs. The POST URL is constructed to have the board id first - and so it's converted to /pub/bugs/?action=... as the intrusion log shows.

What's happening is:
POST /7249/split-topic-appears-to-trip-bad-behaviour/?action=splittopics;sa=execute
Host: wedge.org/pub/bugs

I don't know why Opera's doing that, but that's what's causing this to happen - and note that if Opera behaved as it should, there wouldn't be a problem because the host would be submitted as just the hostname.

We can still fix the URL being generated so that it ends up as wedge.org/do/splittopics but given how Opera is issuing the wrong Host, I'd honestly rather not for the time being until I can find out what the hell Opera (and other browsers, looking at the log) are playing at.

Ahhhhhhhh, that makes sense. I did wonder why some browsers were ignoring the spec!

I noticed that the code sets $_SERVER['REAL_HTTP_HOST'] so I'll check for that, and if it's found, I'll reset the headers to use that instead of whatever $_SERVER['HTTP_HOST'] has.

Hopefully r1545 should fix this.

(Fixed indeed.)