Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RavenNuke(tm) v2.5x
Author Message
horror-code
New Member
New Member



Joined: Apr 29, 2013
Posts: 23

PostPosted: Sat May 04, 2013 6:25 am Reply with quote

I know I have a way with titles.

I was tired of the simple you must login to use this feature text which then requires a user to navigate manually to the login page so I went ahead and opened up /modules/Your_Account/includes/functions.php and found the notuser function around line 489. I have modified it so it looks like this:

Code:


function notuser() {
   include_once 'header.php';
   OpenTable();
   $forward = str_replace('redirect=', '', $redirect);
   if ($redirect != '') {
      Header('Location: ' . $redirect);
   } else {
      Header('Location: account.html');
   }
   die();
   CloseTable();
   include_once 'footer.php';
}
?>


I can verify it works properly. The question is what is the redirect stuff doing here? Can I get it to listen to the incoming request and then set Your Account to redirect to the originally requested page after logging in?

And is the method I used above secure?
 
View user's profile Send private message
Palbin
Site Admin



Joined: Mar 30, 2006
Posts: 2583
Location: Pittsburgh, Pennsylvania

PostPosted: Sat May 04, 2013 6:55 am Reply with quote

You only really need this:
Code:


function notuser() {
   Header('Location: account.html');
   die();
}
?>


Now that does account for any kind of redirect. I think redirecting to a certain module or other semi predefined address would be ok, but would be very leery of allowing any redirect with any parameter. What are you looking to do?

_________________
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." — Brian W. Kernighan. 
View user's profile Send private message
horror-code







PostPosted: Sat May 04, 2013 7:05 am Reply with quote

It would just be nice if it redirected to the originating page at least. Would that be possible, say if one were trying to change the theme from their account page and somehow got logged out, it would then redirect them to login. After which it would redirect them back to the accounts/theme page?

So basically get the referring url and pass that back?

It doesn't have to pass the original parameters.
 
nuken
RavenNuke(tm) Development Team



Joined: Mar 11, 2007
Posts: 2024
Location: North Carolina

PostPosted: Sat May 04, 2013 1:33 pm Reply with quote

I'm not sure if this is what you mean or not, but if you want the user to return to the page they were on after they use the login colorbox, look in modules/Your_Account/index.php and find:
Code:


} elseif ($redirect == '') {
            Header('Location: modules.php?name=Your_Account&op=userinfo&bypass=1&username=' . $username);


and replace with:
Code:


} elseif ($redirect == '') {
            Header('Location: ' . $_SERVER['HTTP_REFERER']);


That might do it for you.

_________________
Tricked Out News 
View user's profile Send private message Send e-mail Visit poster's website
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Thu May 09, 2013 6:23 pm Reply with quote

I would not recommend trusting $_SERVER['HTTP_REFERER']. You would be opening up your users to potentially vicious CSRF or XSS attacks. The Golden Rule of Development: Never trust your input.

Personally, I would make sure and test the content of that referer to make sure it is coming from your domain and the rest of it is "cleansed" to. I just don't think it is worth the trouble unless you know what you're doing and can code that...

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
horror-code







PostPosted: Fri May 10, 2013 12:04 am Reply with quote

Will the functionality for anonymous users changing themes ever return? I

s there some way to get the actual url that is being passed or does it actually insert something into the db that can't be done with a url?

As that might be a much simpler solution to this specific case, where I might run into other scenarios down the road, I haven't yet.
 
Guardian2003
Site Admin



Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam

PostPosted: Mon May 13, 2013 3:42 pm Reply with quote

horror-code wrote:
Will the functionality for anonymous users changing themes ever return?

As far as I remember, theme selection has always been part of the users settings, so therefore the user has to be logged in to see it and change it.
However, I believe their is a 'theme preview' block that uses javascript and probably a cookie to switch themes temporarily, so that would work for 'real' users who are anonymous.
I'm not certain is this would get blocked due our recent introduction of a setting to show a specific theme to anonymous users or not because I haven't tried it.
 
View user's profile Send private message Send e-mail
hicuxunicorniobestbuildpc
The Mouse Is Extension Of Arm



Joined: Aug 13, 2009
Posts: 1122

PostPosted: Tue May 14, 2013 7:09 am Reply with quote

what do u recommend then montego?

The only way I know it is this one

Code:
         if (($ya_config['tos'] == 1) AND ($_POST['tos_yes'] == 1)) {

            $db->sql_query('UPDATE ' . $user_prefix . '_users SET agreedtos=\'1\' WHERE username=\'' . $setinfo['username'] . '\'');
            $forward = str_replace('redirect=', '', $redirect);
            if ($redirect != '') {
               Header('Location: ' . $redirect);
            } else {
            Header('Location: index.php');
               //Header('Location: modules.php?name=Your_Account&op=userinfo&bypass=1&username=' . $setinfo['username']);
            }
            die();
         }
      }
 
View user's profile Send private message
montego







PostPosted: Wed May 15, 2013 7:22 am Reply with quote

hicuxunicorniobestbuildpc wrote:
what do u recommend then montego?


Sorry, hicux, I already did (indirectly) here:

Quote:

I just don't think it is worth the trouble unless you know what you're doing and can code that...


And I pointed you to what you would need to code for here:

Quote:

make sure and test the content of that referer to make sure it is coming from your domain and the rest of it is "cleansed" to


I am not going to code it for you... Wink I'm sure you can find many examples of how to parse a URL (there is even several PHP functions to do this and I'm sure even preg_match() examples). The bottom line is you want to essentially "whitelist" what you are looking for, make sure that is what you are getting in the REFERER, and only redirect if its "good".
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RavenNuke(tm) v2.5x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©