-
I did a split topic here, and somehow I managed to trip the 'offsite form' detection (but because I'm an admin it merely warned me, as opposed to blocking me entirely)
I'm suspecting there is something wrong with that, but I'm in the middle of writing the log viewer so I'll be able to see WTF is going on with it.
-
At least its happening in the 'calmness' of your own site and you haven't reams of support requests to wade through :)
-
That's exactly why we're doing it here before we deploy it properly, because we can assess such things in a real environment - the BB integration was never tested on a live site prior to this deployment, for example.
-
Maybe it's due to pretty urls..?
-
Maybe but more likely I implemented it naively.
-
Don't forget to remind me to remove the setting if you ever fix that.
-
Leave the setting as is, because if you ever go for the subdomain thing again, it may get tripped again with it.
-
Dunno. I don't think I'll go back to subdomains... It made sense on noisen.com because of the whole 'make your own blog' aspect (even though people have to ask me for their subdomain because at the time I implemented the site, I was on a host that didn't support wildcards, and I stopped developing noisen.com long before moving it to a new host), but here, I don't know... It would only be 'for the show'... But honestly, have you seen anyone request 'how we did subdomains' back when we used the SMF version of the site?
-
I can make use of it on things I have planned ;) Despite the support matters it would be a good feature to have.
-
Oh... All right ;)
But there are plenty of things to implement before even thinking of that...
(Hmm... I don't even remember if I already implemented 'custom URL transforms'... I doubt so. A simple list of newline-separated regexes or str_replaces in a textarea...)
-
Now I have a log viewer, it might be worth emptying $settings['allow_external_forms'] now and trying it again. The test code looks like it should work since the Host should be solely the domain, e.g. wedge.org, and matched against the contents of Referer, which should be [url]http://wedge.org/...[/url]
-
Now I have a log viewer, it might be worth emptying $settings['allow_external_forms'] now and trying it again.
-
I'm currently working on altering the handling of BB so that admin errors will also be logged, currently they are not.
-
Okay!
-
OK, so r1544 now has that in it, so next update we can investigate it a bit better.
-
Up!
Posted: April 6th, 2012, 08:47 PM
And running... Topic 'split'.
-
And now I understand why it is broken. Your browser appears to not understand how to process HTTP/1.1.
The log shows that the request includes a Host header:
Host: wedge.org/pub/bugs
This is contrary to the specification in section 14.23 where it is only supposed to be the *host*. This trips the test because the Referer begins with http://wedge.org/do/splittopics as it should - and wedge.org/pub/bugs/ is not a substring of wedge.org/do/splittopics.
I don't yet know *why* this occurs but it does at least explain the problem.
-
Uh. How strange. I'm using the latest 'official' Opera really...
And why pub/bugs anyway? It should be using the splittopics URL...?
-
Pretty URLs. The POST URL is constructed to have the board id first - and so it's converted to /pub/bugs/?action=... as the intrusion log shows.
What's happening is:
POST /7249/split-topic-appears-to-trip-bad-behaviour/?action=splittopics;sa=execute
Host: wedge.org/pub/bugs
I don't know why Opera's doing that, but that's what's causing this to happen - and note that if Opera behaved as it should, there wouldn't be a problem because the host would be submitted as just the hostname.
We can still fix the URL being generated so that it ends up as wedge.org/do/splittopics but given how Opera is issuing the wrong Host, I'd honestly rather not for the time being until I can find out what the hell Opera (and other browsers, looking at the log) are playing at.
-
Okay! It's nit that!
Look at querystring.php, I actually change the request var for the host to contain the board name. It's a technique I used to simplify other calculations. Iirc I save the actual host in another variable. You should take that into account or just change the method I used to something that fits you best.
-
Ahhhhhhhh, that makes sense. I did wonder why some browsers were ignoring the spec!
I noticed that the code sets $_SERVER['REAL_HTTP_HOST'] so I'll check for that, and if it's found, I'll reset the headers to use that instead of whatever $_SERVER['HTTP_HOST'] has.
Posted: April 6th, 2012, 10:30 PM
Hopefully r1545 should fix this.
-
That's it :)
Posted: April 6th, 2012, 10:37 PM
Not on my pc so I can't upload btw. Sorry.
-
(Fixed indeed.)
-
Moving this one to archived then.