Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
arc_redirect
Current version: v1.2.0
Redirect URLs producing Textpattern 404 error pages to other URLs anywhere on your site or the web using a 301 permanently moved server message.
Requirements: Textpattern 4.5+
Full documentation and download link.
Check out arc_redirect’s GitHub repository for the latest development version and issues/feature requests.
Last edited by monkeyninja (2014-09-09 19:24:16)
Offline
Re: arc_redirect
Hi Andy. What’s the difference between yours and redirect pro?
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: arc_redirect
Nice work Andy. I took a quick look at the code. Nice. Not much to complain, some small and some bigger stuff I noticed:
arc_redirect()has dangerous publicly accessible SQL injection hole.$urlwill need to be escaped withdoSlash()before using in the query.- In
arc_redirect(),safe_row()could be used to select the row instead of building your own. - TXP’s
serverSet()can be used to return$_SERVERvariables and has build in isset check. - TXP also has handy
txp_status_header()for setting HTTP status. - In
arc_redirect()andarc_redirect_save()stripping the final slash could be done with simplertrim(), i.e.rtrim($url, '/'). arc_redirect_edit()andarc_redirect_multiedit()have SQL injection issues.$idneeds to be escaped.- In
arc_redirect_save(),$id,$originalUrland$redirectUrlwill need to be escaped. - In
arc_redirect_install()you can freely up the maximum varchar lenght to 255 as it doesn’t effect base space requirement or performance. Anything below 255 uses the same resources. The longer addresses you can use, the better. Setting the default value for the varchars, and defining as NOT NULL might help compatibility.
If you aren’t concerned about backward compatibility, you could look at TXP v4.4.1’s new security additions, CSRF protection. Take a look at form(), tInput(), and bouncer().
monkeyninja wrote:
Check out arc_redirect’s GitHub repository for the latest development version and issues/feature requests.
Btw, you have issues turned off ;-)
Redirect URLs producing Textpattern 404 error pages to other URLs anywhere on your site or the web using a 301 permanently moved server message.
What about the 404 status Textpattern itself returns and sends? Doesn’t the client use the first one sent, and the 301 header is sent after 404.
$url = PROTOCOL.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
Some plugins (couple very common big ones) directly modify REQUEST_URI, which might cause problems, i.e. the redirect not working. You could go over that problem by picking and storing REQUEST_URI in different variable as soon as the plugin is called, and then using that variable in the callback function.
Anyways, hope that helps. Sorry that I don’t have the necessary time (and patience) to compile a patch file or fork it.
Last edited by Gocom (2011-08-18 08:57:57)
Offline
Re: arc_redirect
Big thank you Jukka for the feedback. I’ve already deployed a load of your suggestions to the plugins code, particularly the security holes (can’t believe I lazily let them get ignored).
Gocom wrote:
What about the 404 status Textpattern itself returns and sends? Doesn’t the client use the first one sent, and the 301 header is sent after 404.
I wasn’t sure whether the 404 status was getting returned before the plugins 301 or not. In my tests I thought that the 301 was getting used (Google seemed to be correctly modifying its indexes).
Offline
Re: arc_redirect
monkeyninja wrote:
Big thank you Jukka for the feedback. I’ve already deployed a load of your suggestions to the plugins code, particularly the security holes (can’t believe I lazily let them get ignored).
Heh, no problem. The plugin looks much better now with improved security. If you don’t mind I took second look, and I have couple more:
- In
arc_redirect_add()don’t use un-prefixed global namedIDas it’s in global scope and can cause collisions. You should give it prefix, i.e.$GLOBALS['arc_redirect_ID']or you could remove the line completely as you are not using it at the moment. - In
arc_redirect_save()andarc_redirect_add()you are better off doingtrim()before escaping.doSlash()also escapes newlines and other white-space stuff trim could clean before espacing. As escaping is done before, the trim has no effect other than to spaces. arc_redirect_saveonly receives POST data when the interface is used legitimately. You could changegps()calls tops()to prevent nasty linking (CSRF).- In
arc_redirect_list()the$redirect['originalUrl']and$redirect['redirectUrl']should be tokenized to prevent accidental (or intentional) HTML/JavaScript injecting. This can be done withhtmlspecialchars()in the columns that display the full URLs, and with urlencode() in links if needed. - In arc_redirect() the
$redirect['redirectUrl']used in the header should probably be escaped somesorts (urlencode()?) to prevent headers from breaking when running to colons or others like that.
Last edited by Gocom (2011-08-18 20:09:48)
Offline
Re: arc_redirect
Finally updated to version 1.1 so that it now supports properly supports Textpattern v4.5+. Now that it looks better in the latest Textpattern I can start to turn my attention to making further improvements to the plugin.
Offline
Re: arc_redirect
arc_redirect v1.2.0 is now available. It now allows you to use absolute URLs for the redirects, setup temporary redirect rules and comes with a number of security fixes and general improvements.
Enjoy :-)
Offline
Re: arc_redirect
Just a quick post to thank you for this plugin. I’m using it to redirect all wp and fckeditor hackers to google. Hopefully my stat logs will stop showing all the url combinations they use as I expect them to be giving us earlier.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: arc_redirect
Also do you happen to have an older secure version of the plugin which works on txp 4.4.x?
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
#10 2015-05-02 11:46:45
- candyman
- Member
- From: Italy
- Registered: 2006-08-08
- Posts: 684
Re: arc_redirect
colak wrote #290366:
I’m using it to redirect all wp and fckeditor hackers to google. Hopefully my stat logs will stop showing all the url combinations they use as I expect them to be giving us earlier.
Can you explain me how did you obtained that?
I thought that the plugin was for 404 only.
Last edited by candyman (2015-05-02 11:48:37)
Offline
Re: arc_redirect
candyman wrote #290368:
Can you explain me how did you obtained that?
I thought that the plugin was for 404 only.
I check in my logs for repeated patterns from people who try to hack my sites. A regular one is
http://site.tld/wp-content/plugins which I redirect to google.com
there are about 20 variations of different wp based urls and about 10 for fckeditor.
I know that I could be redirecting via htaccess but I prefer using the web interface offered by the plugin.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Offline