Skip to content

Commit

Permalink
check that the options array contains valid items added
Browse files Browse the repository at this point in the history 
This commit adds a check that the config array for the referrer
allow list contains valid options, as the behaviour of explode in
this context means that even if the options field is empty at least
one array item, of value '' with be created.

Also Kahlan has been removed from the composer file and composer update
rerun
  • Loading branch information
@jkeasley
jkeasley committed Oct 23, 2023
1 parent 9948a1e commit b2295cb
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 76 deletions.
3 changes: 1 addition & 2 deletions composer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,7 @@
},
"require-dev": {
"dxw/phar-install": "^1.1",
"friendsofphp/php-cs-fixer": "^2.0",
"kahlan/kahlan": "^4.7"
"friendsofphp/php-cs-fixer": "^2.0"
},
"scripts": {
"post-update-cmd": "vendor/bin/phar-install"
Expand Down
60 changes: 1 addition & 59 deletions composer.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

32 changes: 17 additions & 15 deletions redirect.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,21 +90,23 @@ function dxw_members_only_referrer_in_allow_list()
* If there is no referrer header, or if we have no configured referrers to
* whitelist we can stop here.
*/
if (isset($_SERVER['HTTP_REFERER']) && count($referrer_list) > 0) {
if (isset($_SERVER['HTTP_REFERER'])) {
foreach ($referrer_list as $referrer) {
/*
* Add the site url to the referrer string to ensure that external
* referrers can't be used here.
*/
$whitelisted_referrer = get_site_url().$referrer;
$referrer_check = strpos($_SERVER['HTTP_REFERER'],$whitelisted_referrer);
/*
* Check that there is a match, and that match is at the start of the referrer string.
* This is to ensure that the referrer being whitelisted can't be fooled by having
* a whitelisted referrer passed in as a parameter on the referrer string.
*/
if ($referrer_check !==false && $referrer_check == 0){
return true;
if (!empty($referrer)) {
/*
* Add the site url to the referrer string to ensure that external
* referrers can't be used here.
*/
$whitelisted_referrer = get_site_url() . $referrer;
$referrer_check = strpos($_SERVER['HTTP_REFERER'], $whitelisted_referrer);
/*
* Check that there is a match, and that match is at the start of the referrer string.
* This is to ensure that the referrer being whitelisted can't be fooled by having
* a whitelisted referrer passed in as a parameter on the referrer string.
*/
if ($referrer_check !== false && $referrer_check == 0) {
return true;
}
}
}
}
Expand Down Expand Up @@ -201,4 +203,4 @@ function dxw_members_only_referrer_in_allow_list()

header('Cache-Control: private, max-age=' . $max_age);
dxw_members_only_redirect($path === '/');
}, -99999999999);
}, -99999999999);
Binary file modified vendor.phar
View file
Binary file not shown.

0 comments on commit b2295cb

Please sign in to comment.