changelog | [dw-free] Update direct referer checks to use check

[commit: http://hg.dwscoalition.org/dw-free/rev/48a8800d5eec]

http://bugs.dwscoalition.org/show_bug.cgi?id=1557

Replace regexp referer checks with the check_referer function.

Patch by

draigwen.

Files modified:

htdocs/interests.bml
htdocs/login.bml
htdocs/logout.bml

--------------------------------------------------------------------------------
diff -r efa4d53fc342 -r 48a8800d5eec htdocs/interests.bml
--- a/htdocs/interests.bml	Wed Aug 12 01:27:16 2009 -0500
+++ b/htdocs/interests.bml	Thu Aug 13 18:38:11 2009 -0500
@@ -84,7 +84,7 @@ body<=
 
         my $dbr = LJ::get_db_reader();
 
-        unless ($did_post || BML::get_client_header('Referer') =~ /^\Q$LJ::SITEROOT\E\/interests\?/)
+        unless ( $did_post || LJ::check_referer('/interests.bml') )
         {
             my ($int) = $dbr->selectrow_array("SELECT interest FROM interests WHERE intid=?", undef, $intid);
             LJ::text_out(\$int);
diff -r efa4d53fc342 -r 48a8800d5eec htdocs/login.bml
--- a/htdocs/login.bml	Wed Aug 12 01:27:16 2009 -0500
+++ b/htdocs/login.bml	Thu Aug 13 18:38:11 2009 -0500
@@ -354,11 +354,11 @@
             return if $want_success_redirect->();
 
             my $referer = BML::get_client_header('Referer');
-            if ($POST{'ref'} =~ /\Q$LJ::DOMAIN\E/ && $POST{'ref'} !~ m!/logout\.bml$! &&
-                $POST{'ref'} !~ /[\n\r]/)
-            {
+            if ( $POST{'ref'} =~ /\Q$LJ::DOMAIN\E/ &&                   # page on our site
+                 ! LJ::check_referer( '/logout.bml', $POST{'ref'} ) &&  # but not the logout page
+                 $POST{'ref'} !~ /[\n\r]/ ) {                           # and no newline spoofing
                 return BML::redirect("$POST{'ref'}");
-            } elsif ($GET{'ret'} == 1 && $referer && $referer =~ /\Q$LJ::DOMAIN\E/) {
+            } elsif ( $GET{'ret'} == 1 && LJ::check_referer() ) {
                 my $uniq = BML::get_request()->notes->{uniq};
                 if ($uniq) {
                     LJ::MemCache::set("loginout:$uniq", 1, time() + 15);
diff -r efa4d53fc342 -r 48a8800d5eec htdocs/logout.bml
--- a/htdocs/logout.bml	Wed Aug 12 01:27:16 2009 -0500
+++ b/htdocs/logout.bml	Thu Aug 13 18:38:11 2009 -0500
@@ -48,13 +48,10 @@
             $u->logout;
 
             # Redirect within the site if ret=1
-            my $referer = BML::get_client_header('Referer');
-            if ($GET{'ret'} == 1 && $referer && $referer =~ /\Q$LJ::DOMAIN\E/) {
+            if ( $GET{'ret'} == 1 && LJ::check_referer() ) {
                 my $uniq = DW::Request->get->note('uniq');
-                if ($uniq) {
-                    LJ::MemCache::set("loginout:$uniq", 1, time() + 15);
-                }
-                return BML::redirect("$referer");
+                LJ::MemCache::set( "loginout:$uniq", 1, time() + 15 ) if $uniq;
+                return BML::redirect( BML::get_client_header('Referer') );
             }
 
             # Redirect to offsite uri if allowed.
--------------------------------------------------------------------------------

[dw-free] Update direct referer checks to use check_referer instead