[dw-free] When using /update (instead of /update.bml), autosave no longer works
[commit: http://hg.dwscoalition.org/dw-free/rev/419d66008bc2]
http://bugs.dwscoalition.org/show_bug.cgi?id=1313
Update referer-checking to accept requests from both /update and /update.bml
Patch by
sophie.
Files modified:
http://bugs.dwscoalition.org/show_bug.cgi?id=1313
Update referer-checking to accept requests from both /update and /update.bml
Patch by
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
Files modified:
- cgi-bin/weblib.pl
-------------------------------------------------------------------------------- diff -r 7380a425b76d -r 419d66008bc2 cgi-bin/weblib.pl --- a/cgi-bin/weblib.pl Sat Jul 04 04:40:08 2009 +0000 +++ b/cgi-bin/weblib.pl Sat Jul 04 08:34:43 2009 +0000 @@ -567,11 +567,24 @@ sub check_referer { # get referer and check return 1 unless $referer; - return 1 if $LJ::SITEROOT && $referer =~ m!^$LJ::SITEROOT$uri!; - return 1 if $LJ::DOMAIN && $referer =~ m!^http://$LJ::DOMAIN$uri!; - return 1 if $LJ::DOMAIN_WEB && $referer =~ m!^http://$LJ::DOMAIN_WEB$uri!; - return 1 if $LJ::USER_VHOSTS && $referer =~ m!^http://([A-Za-z0-9_\-]{1,25})\.$LJ::DOMAIN$uri!; - return 1 if $uri =~ m!^http://! && $referer eq $uri; + + my ( $origuri, $origreferer ) = ( $uri, $referer ); + + # escape any regex characters, like the '.' in '.bml' + $uri = quotemeta( $uri ); + + # allow us to properly check URIs without .bml extensions + if ( $origuri =~ /\.bml($|\?)/ ) { + my $checkend = ( $1 eq '?' ? '' : '(?:$|\\?)' ); + $uri =~ s/\\.bml($|\\\?)/$1$checkend/; + $referer =~ s/\.bml($|\?)/$1/; + } + + return 1 if $LJ::SITEROOT && $referer =~ m!^\Q$LJ::SITEROOT\E$uri!; + return 1 if $LJ::DOMAIN && $referer =~ m!^http://\Q$LJ::DOMAIN\E$uri!; + return 1 if $LJ::DOMAIN_WEB && $referer =~ m!^http://\Q$LJ::DOMAIN_WEB\E$uri!; + return 1 if $LJ::USER_VHOSTS && $referer =~ m!^http://([A-Za-z0-9_\-]{1,25})\.\Q$LJ::DOMAIN\E$uri!; + return 1 if $origuri =~ m!^http://! && $origreferer eq $origuri; return undef; } --------------------------------------------------------------------------------