Background:
In includes/functions.php there exists code to prevent redirecting to domains outside of the scope of the phpBB installation. However, the code prevents redirecting to subdomains and www/non-www domains.
I believe there needs to be a means to allow redirecting to any domain / subdomain that is covered by the phpBB cookie set. For example with the following cookie settings:
Cookie Domain: .domain.com
phpBB Installation: forum.domain.com
Main Site: www.domain.com
If I setup a redirect outside of the subdomain, phpBB will prevent this in an effort to block malicious redirecting. However, I think it fair that phpBB should allow a redirect to anywhere where the phpBB cookie is valid.
Potential Fix:
This can be fixed in the includes/functions.php file, by modifying the redirect function. The easiest, but perhaps not the most elegant solution is to compare the $url_parts['host'] (the requested redirect's host name) to $config['cookie_domain'] (the specified cookie domain).
There are generally 4 configurations for the cookie domain:
- Empty
- domain.com
- .domain.com
- subdomain.domain.com or www.domain.com
The redirect function would need to compare the ending of the requested redirection host to see if it qualifies as a valid redirection domain.
An empty cookie domain skips and fails the test.
A cookie domain that does or does not start with the dot can match a redirection domain that is exactly equal to domain.com, or has a subdomain + domain.com.
If the cookie domain specifies either www or a subdomain, the redirection domain must match exactly.
Code Example:
This code seems to work with the above conditions. Though it isn't very elegant and merely skips any other redirect checks if it is successful.
if (!$disable_cd_check && !empty($config['cookie_domain']) && !empty($url_parts['host']))
|
{
|
if (strpos($config['cookie_domain'], '.') === 0 && substr($url_parts['host'], -strlen($config['cookie_domain'])) !== $config['cookie_domain'] && substr($config['cookie_domain'], 1) !== $url_parts['host'])
|
{
|
trigger_error('INSECURE_REDIRECT', E_USER_WARNING);
|
}
|
else if (strpos($config['cookie_domain'], '.') !== 0 && substr($url_parts['host'], -strlen($config['cookie_domain'])-1) !== '.' . $config['cookie_domain'] && $url_parts['host'] !== $config['cookie_domain'])
|
{
|
trigger_error('INSECURE_REDIRECT', E_USER_WARNING);
|
}
|
else
|
{
|
//Passes cookie check
|
$disable_cd_check = true;
|
}
|
}
|
The variable $config needs to be set as a global for the redirect function.