arc_redirect

monkeyninja · 2011-08-17 18:21:35

Current version: v1.2.0

Redirect URLs producing Textpattern 404 error pages to other URLs anywhere on your site or the web using a 301 permanently moved server message.

Requirements: Textpattern 4.5+

Full documentation and download link.

Check out arc_redirect’s GitHub repository for the latest development version and issues/feature requests.

Last edited by monkeyninja (2014-09-09 19:24:16)

colak · 2011-08-18 07:14:04

Hi Andy. What’s the difference between yours and redirect pro?

Gocom · 2011-08-18 08:48:45

Nice work Andy. I took a quick look at the code. Nice. Not much to complain, some small and some bigger stuff I noticed:

arc_redirect() has dangerous publicly accessible SQL injection hole. $url will need to be escaped with doSlash() before using in the query.
In arc_redirect(), safe_row() could be used to select the row instead of building your own.
TXP’s serverSet() can be used to return $_SERVER variables and has build in isset check.
TXP also has handy txp_status_header() for setting HTTP status.
In arc_redirect() and arc_redirect_save() stripping the final slash could be done with simple rtrim(), i.e. rtrim($url, '/').
arc_redirect_edit() and arc_redirect_multiedit() have SQL injection issues. $id needs to be escaped.
In arc_redirect_save(), $id, $originalUrl and $redirectUrl will need to be escaped.
In arc_redirect_install() you can freely up the maximum varchar lenght to 255 as it doesn’t effect base space requirement or performance. Anything below 255 uses the same resources. The longer addresses you can use, the better. Setting the default value for the varchars, and defining as NOT NULL might help compatibility.

If you aren’t concerned about backward compatibility, you could look at TXP v4.4.1’s new security additions, CSRF protection. Take a look at form(), tInput(), and bouncer().

monkeyninja wrote:

Check out arc_redirect’s GitHub repository for the latest development version and issues/feature requests.

Btw, you have issues turned off ;-)

Redirect URLs producing Textpattern 404 error pages to other URLs anywhere on your site or the web using a 301 permanently moved server message.

What about the 404 status Textpattern itself returns and sends? Doesn’t the client use the first one sent, and the 301 header is sent after 404.

$url = PROTOCOL.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];

Some plugins (couple very common big ones) directly modify REQUEST_URI, which might cause problems, i.e. the redirect not working. You could go over that problem by picking and storing REQUEST_URI in different variable as soon as the plugin is called, and then using that variable in the callback function.

Anyways, hope that helps. Sorry that I don’t have the necessary time (and patience) to compile a patch file or fork it.

Last edited by Gocom (2011-08-18 08:57:57)

monkeyninja · 2011-08-18 19:05:51

Big thank you Jukka for the feedback. I’ve already deployed a load of your suggestions to the plugins code, particularly the security holes (can’t believe I lazily let them get ignored).

Gocom wrote:

What about the 404 status Textpattern itself returns and sends? Doesn’t the client use the first one sent, and the 301 header is sent after 404.

I wasn’t sure whether the 404 status was getting returned before the plugins 301 or not. In my tests I thought that the 301 was getting used (Google seemed to be correctly modifying its indexes).

Gocom · 2011-08-18 20:03:55

monkeyninja wrote:

Big thank you Jukka for the feedback. I’ve already deployed a load of your suggestions to the plugins code, particularly the security holes (can’t believe I lazily let them get ignored).

Heh, no problem. The plugin looks much better now with improved security. If you don’t mind I took second look, and I have couple more:

In arc_redirect_add() don’t use un-prefixed global named ID as it’s in global scope and can cause collisions. You should give it prefix, i.e. $GLOBALS['arc_redirect_ID'] or you could remove the line completely as you are not using it at the moment.
In arc_redirect_save() and arc_redirect_add() you are better off doing trim() before escaping. doSlash() also escapes newlines and other white-space stuff trim could clean before espacing. As escaping is done before, the trim has no effect other than to spaces.
arc_redirect_save only receives POST data when the interface is used legitimately. You could change gps() calls to ps() to prevent nasty linking (CSRF).
In arc_redirect_list() the $redirect['originalUrl'] and $redirect['redirectUrl'] should be tokenized to prevent accidental (or intentional) HTML/JavaScript injecting. This can be done with htmlspecialchars() in the columns that display the full URLs, and with urlencode() in links if needed.
In arc_redirect() the $redirect['redirectUrl'] used in the header should probably be escaped somesorts (urlencode()?) to prevent headers from breaking when running to colons or others like that.

Last edited by Gocom (2011-08-18 20:09:48)

monkeyninja · 2014-01-26 13:02:01

Finally updated to version 1.1 so that it now supports properly supports Textpattern v4.5+. Now that it looks better in the latest Textpattern I can start to turn my attention to making further improvements to the plugin.

monkeyninja · 2014-09-09 19:26:10

arc_redirect v1.2.0 is now available. It now allows you to use absolute URLs for the redirects, setup temporary redirect rules and comes with a number of security fixes and general improvements.

Enjoy :-)

colak · 2015-05-02 10:04:07

Just a quick post to thank you for this plugin. I’m using it to redirect all wp and fckeditor hackers to google. Hopefully my stat logs will stop showing all the url combinations they use as I expect them to be giving us earlier.

colak · 2015-05-02 10:35:34

Also do you happen to have an older secure version of the plugin which works on txp 4.4.x?

candyman · 2015-05-02 11:46:45

colak wrote #290366:

I’m using it to redirect all wp and fckeditor hackers to google. Hopefully my stat logs will stop showing all the url combinations they use as I expect them to be giving us earlier.

Can you explain me how did you obtained that?
I thought that the plugin was for 404 only.

Last edited by candyman (2015-05-02 11:48:37)

Textpattern CMS

Textpattern CMS support forum

#1 2011-08-17 18:21:35

arc_redirect

#2 2011-08-18 07:14:04

Re: arc_redirect

#3 2011-08-18 08:48:45

Re: arc_redirect

#4 2011-08-18 19:05:51

Re: arc_redirect

#5 2011-08-18 20:03:55

Re: arc_redirect

#6 2014-01-26 13:02:01

Re: arc_redirect

#7 2014-09-09 19:26:10

Re: arc_redirect

#8 2015-05-02 10:04:07

Re: arc_redirect

#9 2015-05-02 10:35:34

Re: arc_redirect

#10 2015-05-02 11:46:45

Re: arc_redirect

colak wrote #290366:

Board footer