Edit report at https://bugs.php.net/bug.php?id=64174&edit=1
ID: 64174
Updated by: bj...@php.net
Reported by: php dot net at dzubak dot sk
Summary: AJAX request blocked for bad origin
-Status: Assigned
+Status: Closed
Type: Bug
Package: Website problem
PHP Version: Irrelevant
Assigned To: googleguy
Block user comment: N
Private report: N
New Comment:
This was fixed few weeks ago
Previous Comments:
------------------------------------------------------------------------
[2013-03-17 21:03:47] tyr...@php.net
hm, on a second thought: we have a separate ip configured for the php.net
website,
and no other catch-all virtual host is configured, so a http request to that ip
would end up served by the php.net website, even if the Host header is bogus or
malicious, and I suppose that there are a couple of mirrors with similar setup,
so
we should validate the HTTP_HOST before using it.
------------------------------------------------------------------------
[2013-03-17 20:56:46] tyr...@php.net
'I had to keep the javascript relative to the host being used'
yeah, the problem is that we set a <base href="{$_SERVER['BASE_HREF']}" />
explicitly, where the BASE_HREF is set from the primary domain of the specific
mirror being used, so if a mirror is visited on non-primary host (which is
perfectly normal, like with our without www, or us.php.net vs us1.php.net) the
actual host and the host set via the base href will be different.
I think for now it would be safe to use the $_SERVER['HTTP_HOST'] and on the
long
run we should move everything to relative urls anyway.
------------------------------------------------------------------------
[2013-03-09 21:25:20] php dot net at dzubak dot sk
$_SERVER['HTTP_HOST'] is a user supplied header - yes, but webserver will show
PHP.net website only for valid $_SERVER['HTTP_HOST'] header.
In practice: it is user supplied and server filtered = safe.
------------------------------------------------------------------------
[2013-03-09 21:22:53] google...@php.net
$_SERVER['HTTP_HOST'] is a user supplied header and would be unreliable here.
The issue here is that php.net and www.php.net are the same thing in terms of
which server you're connecting to, but unfortunately they won't be seen as one
and
the same by your client UA. If infrastructure would have allowed for a better
solution I probably would have used it.
------------------------------------------------------------------------
[2013-03-09 21:08:18] php dot net at dzubak dot sk
Isnt it possible to have dynamic origin, based on $_SERVER['HTTP_HOST'] ?
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=64174
--
Edit this bug report at https://bugs.php.net/bug.php?id=64174&edit=1
--
PHP Webmaster List Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
