Bug #17227

Shortcut to external URL if referer-check enabled

Added by Stefan Neufeind over 14 years ago. Updated about 6 years ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
-
Target version:
Start date:
2007-04-21
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.1
PHP Version:
4.3
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Setup a tree with:

- somepage
( having domain-records for
www.example.com
www.example2.com)
-- someredirpage (shortcut to external URL)

set config.baseURL=http://www.example.com/index.php in setup on somepage

Try1:
Now open http://www.example.com/, klick a link that takes you to someredirpage. Works!

Try2:
Now open http://www.example2.com/, klick a link that takes you to someredirpage. Because of baseURL now that link changes to www.example.com. The page "someredirpage" is opened. However the shortcut is not followed but the content of this "page" is displayed. (Which in most cases might either be empty or might contain some testing-garbage.)

This problem is reproducable here. If I use TamperData (firefox-extension) to remove or alter the referer of my request for http://www.example.com/someredirpage.html, then that Shortcut is correctly delivered to the browser. If that referer is something in www.example.com (first click to another page, then to someredirpage) then it also works fine. Seems to be dependent on the referer.

Workaround: Set "doNotCheckReferer" in installation-tool.

Also same behaviour with 4.1.1 (final).
(issue imported from #M5470)


Related issues

Related to TYPO3 Core - Bug #16547: Link to external URL page doesn't forwardClosed2006-12-13

Actions
Related to TYPO3 Core - Bug #19223: Redirect type does not redirect when HTTP referrer is an external siteRejected2008-08-15

Actions
#1

Updated by Christoph Lemmer almost 14 years ago

got excactly the same problem with 4.1.2

#2

Updated by Stefan Neufeind over 13 years ago

Seems to still occur with at least 4.1.5 (no newer release tested).

#3

Updated by Stefan Neufeind over 13 years ago

related to #0009182

#4

Updated by Charles Coleman about 12 years ago

This is STILL an issue in 4.2.6. When I set "doNotCheckReferer" in the install tool it seems to be a work around. This issue still needs to be fixed! Disabling referer is not a fix... it's a hack.

#5

Updated by Niels Pardon over 11 years ago

I'm suffering from that misbehaviour, too. TYPO3 4.3.3 and 4.2.10.

#6

Updated by Michael Kittlitz about 11 years ago

Same Problem over here too, with typo3 4.4.4

#7

Updated by David Voigt about 11 years ago

Yes, same Problem over here too, with TYPO3 4.4.4.

#8

Updated by Steffen Gebert almost 11 years ago

Does this also occur, when you redirect example2.com to example.com? Because of duplicate content, sites shouldn't be reachable under different domains. Wouldn't this be a better workaround?

However it really seems like there's a bug somewhere.. anybody willing to dig into the "external link" generation?

#9

Updated by Tamer Erdogan almost 11 years ago

Same Problem with TYPO3 4.4.6.

I have found the reason and I have two possible solutions for the problem.
The reason is in typo3/sysext/cms/tslib/index_ts.php
// ************************
// Check JumpUrl
// ***********************
$TSFE->setExternalJumpUrl();
$TSFE->checkJumpUrlReferer();

After the setExternalJumpUrl, the referer will be controlled and if it fails, the function checkJumpUrlReferer deletes jumpurl.

1. Solution:
It is not useful to check the referers of the jumpurl. That is why delete the line:
$TSFE->checkJumpUrlReferer(); in typo3/sysext/cms/tslib/index_ts.php.
And the function checkJumpUrlReferer can also be deleted in typo3/sysext/cms/tslib/class.tslib_fe.php, because it is only used here.

2. Solution:
Add a new configuration variable to typo3, e.g: TYPO3_CONF_VARS['SYS']['checkJumpUrlReferer'], and use this variable in the function checkJumpUrlReferer in /cms/tslib/class.tslib_fe.php instead of TYPO3_CONF_VARS['SYS']['doNotCheckReferer']. And it would be useful to have default value of this variable as 0.

I would prefer the first solution.

#10

Updated by Mirko Schaal about 10 years ago

  • Target version changed from 0 to 4.5.7

This is still open in 4.5.5

#11

Updated by Chris topher about 10 years ago

  • Target version changed from 4.5.7 to 4.5.8
#12

Updated by Björn Pedersen almost 10 years ago

Another solution:
If the check is done, do it correctly: Use the domain record.

#13

Updated by Björn Pedersen almost 10 years ago

Looking closer at the code, the same check is also done in checkDataSubmission for fe_tce and formmail. So this should check there, too.

#14

Updated by Ernesto Baschny almost 10 years ago

  • Target version changed from 4.5.8 to 4.5.12
#15

Updated by Christian Nölle almost 9 years ago

Still an issue in 4.5.22 :)

#16

Updated by Stefan Galinski almost 9 years ago

  • Category deleted (Communication)
  • Status changed from New to Accepted
#17

Updated by Helmut Hummel over 8 years ago

Steffen Gebert wrote:

Does this also occur, when you redirect example2.com to example.com? Because of duplicate content, sites shouldn't be reachable under different domains. Wouldn't this be a better workaround?

I agree.

#18

Updated by Helmut Hummel over 8 years ago

Tamer Erdogan wrote:

1. Solution:
It is not useful to check the referers of the jumpurl. That is why delete the line:
$TSFE->checkJumpUrlReferer(); in typo3/sysext/cms/tslib/index_ts.php.

I would not object this solution, since we have introduced a hash to secure the redirect for pages of type external URL.

And the function checkJumpUrlReferer can also be deleted in typo3/sysext/cms/tslib/class.tslib_fe.php, because it is only used here.

This cannot be done of course in released versions, but I would not object to delete this method in 6.1 without deprecation, but it would also not harm to have it empty and throw a deprecation message for 2 versions.

Anyone willing to push a patch to gerrit?

#19

Updated by Stefan Kaufmann almost 8 years ago

Problem still persists in TYPO3 6.1.7, workaround still: Set "doNotCheckReferer" = 1 in installation-tool.

#20

Updated by Patric Pesch over 7 years ago

Helmut Hummel wrote:

Steffen Gebert wrote:

Does this also occur, when you redirect example2.com to example.com? Because of duplicate content, sites shouldn't be reachable under different domains. Wouldn't this be a better workaround?

I agree.

I disagree! If a canonical url is set, there are no duplicate content problems. And there are many reasons for a multidomain setup.

But the bug does not need a multidomain setup. In my case i changed several doktypes to 3 (redirect) after a redesign. Now the problem are the previous indexed pages in google: all calls from google don't open the redirect url but an empty page (STATUS 200), cause an external referer is set.

Now I set doNotCheckReferer and the redirects work as suspected (302). But I am not sure, which side effects now exists.

+ edit +
TYPO3 6.18

#21

Updated by Ben N over 6 years ago

Now I set doNotCheckReferer and the redirects work as suspected (302). But I am not sure, which side effects now exists.

Could anyone please comment on possible side effects if any?

#22

Updated by Stefan Neufeind about 6 years ago

  • Status changed from Accepted to Rejected
  • Is Regression set to No

Shouldn't be a problem on 7 LTS anymore (external links rendered directly). And not a priority-bugfix for 6.2.

Also available in: Atom PDF