ID: 31459
Updated by: [EMAIL PROTECTED]
Reported By: motion_4u at hotmail dot com
-Status: Open
+Status: Bogus
Bug Type: URL related
Operating System: all
PHP Version: 4.3.10
New Comment:
Variable HTTP_REFERER is populated by browser and if
getenv('HTTP_REFERER') returns false, then the browser didn't send it
to the server.
Make sure your browser sends it, until then it's not PHP bug.
Previous Comments:
------------------------------------------------------------------------
[2005-01-09 22:24:20] motion_4u at hotmail dot com
Description:
------------
This page includes an included file called "refer.php" containing 2
lines as followed:
<? $refer=getenv('HTTP_REFERER');
return $refer; ?>
If the function "getenv('HTTP_REFERER')" works correctly, you should
see the URL of this subdirectory + "refer.php" below
REFERER: <-- You see nothing!
the code for this file is as followed:
<?
$ref=include "refer.php";
echo $ref;
?>
The basic purpose of "getenv('HTTP_REFERER')" function is very simple!
It has to return the URL of the caller.
At the first glance it seems as something not important at all but
actually it is a major
security problem for those who rely on the "getenv('HTTP_REFERER')"
function to
identify the caller page to return a hidden value using the "include"
function back
only to a predefined URL.
Reproduce code:
---------------
You can access the URL to test it right here:
http://motion4u.sytes.net/phpreferertest/index.php
Expected result:
----------------
Must return an URL and not nothing!
You get even no NULL!
Actual result:
--------------
OK, I keep it as short as possible! only one word :
Zilch
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=31459&edit=1
