changelog | [dw-free] When using /update (instead of /update.bml), autosave no longer works

[commit: http://hg.dwscoalition.org/dw-free/rev/419d66008bc2]

http://bugs.dwscoalition.org/show_bug.cgi?id=1313

Update referer-checking to accept requests from both /update and /update.bml

Patch by

sophie.

Files modified:

cgi-bin/weblib.pl

--------------------------------------------------------------------------------
diff -r 7380a425b76d -r 419d66008bc2 cgi-bin/weblib.pl
--- a/cgi-bin/weblib.pl	Sat Jul 04 04:40:08 2009 +0000
+++ b/cgi-bin/weblib.pl	Sat Jul 04 08:34:43 2009 +0000
@@ -567,11 +567,24 @@ sub check_referer {
 
     # get referer and check
     return 1 unless $referer;
-    return 1 if $LJ::SITEROOT   && $referer =~ m!^$LJ::SITEROOT$uri!;
-    return 1 if $LJ::DOMAIN     && $referer =~ m!^http://$LJ::DOMAIN$uri!;
-    return 1 if $LJ::DOMAIN_WEB && $referer =~ m!^http://$LJ::DOMAIN_WEB$uri!;
-    return 1 if $LJ::USER_VHOSTS && $referer =~ m!^http://([A-Za-z0-9_\-]{1,25})\.$LJ::DOMAIN$uri!;
-    return 1 if $uri =~ m!^http://! && $referer eq $uri;
+
+    my ( $origuri, $origreferer ) = ( $uri, $referer );
+
+    # escape any regex characters, like the '.' in '.bml'
+    $uri = quotemeta( $uri );
+
+    # allow us to properly check URIs without .bml extensions
+    if ( $origuri =~ /\.bml($|\?)/ ) {
+      my $checkend = ( $1 eq '?' ? '' : '(?:$|\\?)' );
+      $uri     =~ s/\\.bml($|\\\?)/$1$checkend/;
+      $referer =~ s/\.bml($|\?)/$1/;
+    }
+
+    return 1 if $LJ::SITEROOT   && $referer =~ m!^\Q$LJ::SITEROOT\E$uri!;
+    return 1 if $LJ::DOMAIN     && $referer =~ m!^http://\Q$LJ::DOMAIN\E$uri!;
+    return 1 if $LJ::DOMAIN_WEB && $referer =~ m!^http://\Q$LJ::DOMAIN_WEB\E$uri!;
+    return 1 if $LJ::USER_VHOSTS && $referer =~ m!^http://([A-Za-z0-9_\-]{1,25})\.\Q$LJ::DOMAIN\E$uri!;
+    return 1 if $origuri =~ m!^http://! && $origreferer eq $origuri;
     return undef;
 }
 
--------------------------------------------------------------------------------