Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2011-08-17 18:21:35
- monkeyninja
- Plugin Author
- From: Sheffield, UK
- Registered: 2008-10-14
- Posts: 238
- Website
arc_redirect
Current version: v1.2.0
Redirect URLs producing Textpattern 404 error pages to other URLs anywhere on your site or the web using a 301 permanently moved server message.
Requirements: Textpattern 4.5+
Full documentation and download link.
Check out arc_redirect’s GitHub repository for the latest development version and issues/feature requests.
Last edited by monkeyninja (2014-09-09 19:24:16)
Offline
#2 2011-08-18 07:14:04
- colak
- Admin
- From: Cyprus
- Registered: 2004-11-20
- Posts: 7,372
- Website
Re: arc_redirect
Hi Andy. What’s the difference between yours and redirect pro?
Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | Respbublika! | NeMe @ github
Offline
#3 2011-08-18 08:48:45
- Gocom
- Plugin Author
- From: Helsinki, Finland
- Registered: 2006-07-14
- Posts: 4,533
- Website
Re: arc_redirect
Nice work Andy. I took a quick look at the code. Nice. Not much to complain, some small and some bigger stuff I noticed:
arc_redirect()
has dangerous publicly accessible SQL injection hole.$url
will need to be escaped withdoSlash()
before using in the query.- In
arc_redirect()
,safe_row()
could be used to select the row instead of building your own. - TXP’s
serverSet()
can be used to return$_SERVER
variables and has build in isset check. - TXP also has handy
txp_status_header()
for setting HTTP status. - In
arc_redirect()
andarc_redirect_save()
stripping the final slash could be done with simplertrim()
, i.e.rtrim($url, '/')
. arc_redirect_edit()
andarc_redirect_multiedit()
have SQL injection issues.$id
needs to be escaped.- In
arc_redirect_save()
,$id
,$originalUrl
and$redirectUrl
will need to be escaped. - In
arc_redirect_install()
you can freely up the maximum varchar lenght to 255 as it doesn’t effect base space requirement or performance. Anything below 255 uses the same resources. The longer addresses you can use, the better. Setting the default value for the varchars, and defining as NOT NULL might help compatibility.
If you aren’t concerned about backward compatibility, you could look at TXP v4.4.1’s new security additions, CSRF protection. Take a look at form()
, tInput()
, and bouncer()
.
monkeyninja wrote:
Check out arc_redirect’s GitHub repository for the latest development version and issues/feature requests.
Btw, you have issues turned off ;-)
Redirect URLs producing Textpattern 404 error pages to other URLs anywhere on your site or the web using a 301 permanently moved server message.
What about the 404 status Textpattern itself returns and sends? Doesn’t the client use the first one sent, and the 301 header is sent after 404.
$url = PROTOCOL.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
Some plugins (couple very common big ones) directly modify REQUEST_URI, which might cause problems, i.e. the redirect not working. You could go over that problem by picking and storing REQUEST_URI in different variable as soon as the plugin is called, and then using that variable in the callback function.
Anyways, hope that helps. Sorry that I don’t have the necessary time (and patience) to compile a patch file or fork it.
Last edited by Gocom (2011-08-18 08:57:57)
Offline
#4 2011-08-18 19:05:51
- monkeyninja
- Plugin Author
- From: Sheffield, UK
- Registered: 2008-10-14
- Posts: 238
- Website
Re: arc_redirect
Big thank you Jukka for the feedback. I’ve already deployed a load of your suggestions to the plugins code, particularly the security holes (can’t believe I lazily let them get ignored).
Gocom wrote:
What about the 404 status Textpattern itself returns and sends? Doesn’t the client use the first one sent, and the 301 header is sent after 404.
I wasn’t sure whether the 404 status was getting returned before the plugins 301 or not. In my tests I thought that the 301 was getting used (Google seemed to be correctly modifying its indexes).
Offline
#5 2011-08-18 20:03:55
- Gocom
- Plugin Author
- From: Helsinki, Finland
- Registered: 2006-07-14
- Posts: 4,533
- Website
Re: arc_redirect
monkeyninja wrote:
Big thank you Jukka for the feedback. I’ve already deployed a load of your suggestions to the plugins code, particularly the security holes (can’t believe I lazily let them get ignored).
Heh, no problem. The plugin looks much better now with improved security. If you don’t mind I took second look, and I have couple more:
- In
arc_redirect_add()
don’t use un-prefixed global namedID
as it’s in global scope and can cause collisions. You should give it prefix, i.e.$GLOBALS['arc_redirect_ID']
or you could remove the line completely as you are not using it at the moment. - In
arc_redirect_save()
andarc_redirect_add()
you are better off doingtrim()
before escaping.doSlash()
also escapes newlines and other white-space stuff trim could clean before espacing. As escaping is done before, the trim has no effect other than to spaces. arc_redirect_save
only receives POST data when the interface is used legitimately. You could changegps()
calls tops()
to prevent nasty linking (CSRF).- In
arc_redirect_list()
the$redirect['originalUrl']
and$redirect['redirectUrl']
should be tokenized to prevent accidental (or intentional) HTML/JavaScript injecting. This can be done withhtmlspecialchars()
in the columns that display the full URLs, and with urlencode() in links if needed. - In arc_redirect() the
$redirect['redirectUrl']
used in the header should probably be escaped somesorts (urlencode()?) to prevent headers from breaking when running to colons or others like that.
Last edited by Gocom (2011-08-18 20:09:48)
Offline
#6 2014-01-26 13:02:01
- monkeyninja
- Plugin Author
- From: Sheffield, UK
- Registered: 2008-10-14
- Posts: 238
- Website
Re: arc_redirect
Finally updated to version 1.1 so that it now supports properly supports Textpattern v4.5+. Now that it looks better in the latest Textpattern I can start to turn my attention to making further improvements to the plugin.
Offline
#7 2014-09-09 19:26:10
- monkeyninja
- Plugin Author
- From: Sheffield, UK
- Registered: 2008-10-14
- Posts: 238
- Website
Re: arc_redirect
arc_redirect v1.2.0 is now available. It now allows you to use absolute URLs for the redirects, setup temporary redirect rules and comes with a number of security fixes and general improvements.
Enjoy :-)
Offline
#8 2015-05-02 10:04:07
- colak
- Admin
- From: Cyprus
- Registered: 2004-11-20
- Posts: 7,372
- Website
Re: arc_redirect
Just a quick post to thank you for this plugin. I’m using it to redirect all wp and fckeditor hackers to google. Hopefully my stat logs will stop showing all the url combinations they use as I expect them to be giving us earlier.
Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | Respbublika! | NeMe @ github
Offline
#9 2015-05-02 10:35:34
- colak
- Admin
- From: Cyprus
- Registered: 2004-11-20
- Posts: 7,372
- Website
Re: arc_redirect
Also do you happen to have an older secure version of the plugin which works on txp 4.4.x?
Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | Respbublika! | NeMe @ github
Offline
#10 2015-05-02 11:46:45
- candyman
- Member
- From: Italy
- Registered: 2006-08-08
- Posts: 684
Re: arc_redirect
colak wrote #290366:
I’m using it to redirect all wp and fckeditor hackers to google. Hopefully my stat logs will stop showing all the url combinations they use as I expect them to be giving us earlier.
Can you explain me how did you obtained that?
I thought that the plugin was for 404 only.
Last edited by candyman (2015-05-02 11:48:37)
Offline