Is gho_if_referer still working with TXP 4.5.7?

uli · 2016-09-01 13:32:59

Does someone have a version newer than my v2008.1 or a fixed version of the plugin that’s working with Textpattern 4.5.7?

Or can someone tell why I’m getting errors with my code?

<txp:gho_if_referer string="http://localhost:8888/directoryName/"> MyClassName</txp:gho_if_referer>

Errors (translated):

Tag error: <txp:gho_if_referer string="http://localhost:8888/directoryName/"> ->  Notice: Undefined variable: string while parsing form navis on page textseiten

textpattern/lib/txplib_publish.php:426 gho_if_referer()
textpattern/lib/txplib_publish.php:339 processTags()
textpattern/publish/taghandlers.php:3789 parse()
textpattern/lib/txplib_publish.php:426 if_section()
textpattern/lib/txplib_publish.php:339 processTags()
textpattern/lib/txplib_misc.php:1974 parse()
textpattern/publish/taghandlers.php:305 parse_form()
textpattern/lib/txplib_publish.php:426 output_form()
textpattern/lib/txplib_publish.php:326 processTags()
textpattern/publish.php:544 parse()

Plus 2x error Undefined variable: match with the same Textpattern file instances

The plugin code itself is one of the tiniest I’ve seen:

function gho_if_referer($atts, $text){
    $yes = array('yes', '1', 'true', 'enable');
    if (empty($atts['string'])){
        $match == false;
    } elseif ((isset($atts['regexp']) && in_array($atts['regexp'], $yes)) && eregi($string, $_SERVER['HTTP_REFERER'])){
        $match == true;
    } elseif (strpos($_SERVER['HTTP_REFERER'], $string)){
        $match == true;
    } else {
        $match == false;
    };
    return parse(EvalElse($text, $match));
}

Replacing eregi by preg_match gives me the same errors, BTW.

etc · 2016-09-01 19:41:24

Hi Uli, try to replace $string with $atts['string'] in the code.

uli · 2016-09-01 20:19:05

Thanks, Oleg, good shot, that removed the string error!

Do you have any idea that I could try for the two match errors?

etc · 2016-09-01 20:56:15

uli wrote #300933:

Do you have any idea that I could try for the two match errors?

Replace $match == with $match =. I wonder how this plugin worked at all.

uli · 2016-09-01 21:35:52

Yay, match errors are gone now! Now I’m getting a single Notice: Undefined index: HTTP_REFERER with all of the above code references.

I wonder how this plugin worked at all.

Yes, I understand, and though it might look like a fault on my level of PHP: $match == is not a previous attempt of mine to fix the thing :)

etc · 2016-09-02 20:37:43

uli wrote #300936:

Now I’m getting a single Notice: Undefined index: HTTP_REFERER with all of the above code references.

This happens when $_SERVER['HTTP_REFERER'] is not set, e.g. when you access the site directly from the browsers address bar. Replace if (empty($atts['string'])) with

if (empty($atts['string']) || empty($_SERVER['HTTP_REFERER']))

to get rid of this warning. Another flaw is

elseif (strpos($_SERVER['HTTP_REFERER'], $string))

should be

elseif (strpos($_SERVER['HTTP_REFERER'], $string) !== false)

FWIW, $_SERVER['HTTP_REFERER'] is set by the client, so potentially unreliable/harmful.

uli · 2016-09-02 21:13:44

Thanks for stopping by here once again, Oleg!

undefined index is gone now, but I seem to have called the Undefined variable: string error back somehow. TXP references remain exactly the same.

For clarity, here’s the code I’ve put together so far:

function gho_if_referer($atts, $text){
	$yes = array('yes', '1', 'true', 'enable');
    if (empty($atts['string']) || empty($_SERVER['HTTP_REFERER'])){
        $match = false;
    } elseif ((isset($atts['regexp']) && in_array($atts['regexp'], $yes)) && eregi($atts['string'], $_SERVER['HTTP_REFERER'])){
        $match = true;
    } elseif (strpos($_SERVER['HTTP_REFERER'], $string) !== false){
        $match = true;
    } else {
        $match = false;
    };
    return parse(EvalElse($text, $match));
}

Edit: Pasted in the exact error message.

uli · 2016-09-02 21:24:45

$_SERVER['HTTP_REFERER'] is set by the client, so potentially unreliable/harmful.

I intend to just add different CSS classes. Could that be exploited, too?

jakob · 2016-09-02 21:39:57

uli wrote #300989:

undefined index is gone now, but I seem to have called the Undefined variable: string error back somehow.

Maybe it’s the reference to string towards the end of the second elseif, replaced here:

function gho_if_referer($atts, $text){
	$yes = array('yes', '1', 'true', 'enable');
    if (empty($atts['string']) || empty($_SERVER['HTTP_REFERER'])){
        $match = false;
    } elseif ((isset($atts['regexp']) && in_array($atts['regexp'], $yes)) && eregi($atts['string'], $_SERVER['HTTP_REFERER'])){
        $match = true;
    } elseif (strpos($_SERVER['HTTP_REFERER'], $atts['string']) !== false){
        $match = true;
    } else {
        $match = false;
    };
    return parse(EvalElse($text, $match));
}

uli wrote #300990:

I intend to just add different CSS classes. Could that be exploited, too?

I doubt that. I think Oleg meant that while it generally sends the referer in normal use, it is manipulable so if you were using it to allow access to something (maybe a download) only available to people coming from a certain referer, it could be got around. Oleg, correct me if I’m wrong.

uli · 2016-09-02 21:59:49

That seems to be the final blow of hammer! No errors so far.

Big thanks to both of you! :)

uli · 2016-09-02 22:06:40

Oh no, I was wrong, it always gives out true now!

Edit: Changed eregi to preg_match cause as soon as I try the regexp attribute I got an additional warning on top of my

Tag error: 
<txp:gho_if_referer string="http://localhost:8888/directoryName/$" regexp="true"> ->  
Warning: preg_match(): Delimiter must not be alphanumeric or backslash

(Tried $ in order to find out how the plugin judges my referer string, why it gives out true.)

Last edited by uli (2016-09-02 22:22:16)

jakob · 2016-09-03 08:04:58

uli wrote #300996:

Warning: preg_match(): Delimiter must not be alphanumeric or backslash

I think that means that if you use the regex option, your string must begin and end with markers for the pattern. Traditionally that’s a slash, which is a problem with an url, because you’d need to escape (\/) all slashes in your url.

Try using another non-alphanumeric delimiter around your string, e.g.:

<txp:gho_if_referer string="#http://localhost:8888/directoryName/$#" regexp="true"> …

But it would probably be better if the plugin added those of its own accord. Here’s a stab at that (adding a hash to the beginning and end of the string for the case where regex = yes, true, 1 or enable):

function gho_if_referer($atts, $text){
	$yes = array('yes', '1', 'true', 'enable');
    if (empty($atts['string']) || empty($_SERVER['HTTP_REFERER'])){
        $match = false;
    } elseif ((isset($atts['regexp']) && in_array($atts['regexp'], $yes)) && preg_match('#'.$atts['string'].'#', $_SERVER['HTTP_REFERER'])){
        $match = true;
    } elseif (strpos($_SERVER['HTTP_REFERER'], $atts['string']) !== false){
        $match = true;
    } else {
        $match = false;
    };
    return parse(EvalElse($text, $match));
}

I don’t know if $_SERVER['HTTP_REFERER'] also passes the hash section of a possible referer. If so, maybe # is not a good choice for a delimiter either.

Textpattern CMS

Textpattern CMS support forum

#1 2016-09-01 13:32:59