Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-15945

Allow redirection to subdomains based on cookie domain

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Won't Do
    • Icon: Minor Minor
    • None
    • 3.2.3, 3.2.4, 3.2.5
    • Login
    • PHP 7.2.13

      Background:

      In includes/functions.php there exists code to prevent redirecting to domains outside of the scope of the phpBB installation. However, the code prevents redirecting to subdomains and www/non-www domains.

      I believe there needs to be a means to allow redirecting to any domain / subdomain that is covered by the phpBB cookie set. For example with the following cookie settings:

      Cookie Domain: .domain.com
      phpBB Installation: forum.domain.com
      Main Site: www.domain.com

      If I setup a redirect outside of the subdomain, phpBB will prevent this in an effort to block malicious redirecting. However, I think it fair that phpBB should allow a redirect to anywhere where the phpBB cookie is valid.

       

      Potential Fix:

      This can be fixed in the includes/functions.php file, by modifying the redirect function. The easiest, but perhaps not the most elegant solution is to compare the $url_parts['host'] (the requested redirect's host name) to $config['cookie_domain'] (the specified cookie domain).

      There are generally 4 configurations for the cookie domain:

      The redirect function would need to compare the ending of the requested redirection host to see if it qualifies as a valid redirection domain.

      An empty cookie domain skips and fails the test.

      A cookie domain that does or does not start with the dot can match a redirection domain that is exactly equal to domain.com, or has a subdomain + domain.com.

      If the cookie domain specifies either www or a subdomain, the redirection domain must match exactly.

       

      Code Example:

      This code seems to work with the above conditions. Though it isn't very elegant and merely skips any other redirect checks if it is successful.

      if (!$disable_cd_check && !empty($config['cookie_domain']) && !empty($url_parts['host']))
      {
      	if (strpos($config['cookie_domain'], '.') === 0 && substr($url_parts['host'], -strlen($config['cookie_domain'])) !== $config['cookie_domain'] && substr($config['cookie_domain'], 1) !== $url_parts['host'])
      	{
      		trigger_error('INSECURE_REDIRECT', E_USER_WARNING);				
      	}
      	else if (strpos($config['cookie_domain'], '.') !== 0 && substr($url_parts['host'], -strlen($config['cookie_domain'])-1) !== '.' . $config['cookie_domain'] && $url_parts['host'] !== $config['cookie_domain'])
      	{
      		trigger_error('INSECURE_REDIRECT', E_USER_WARNING);
      	}
      	else
      	{
      		//Passes cookie check
      		$disable_cd_check = true;	
      	}
      }

      The variable $config needs to be set as a global for the redirect function.

            Marc Marc
            Ectoman AJ Quick [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: