Bug #17227
closed
Shortcut to external URL if referer-check enabled
0%
Description
Setup a tree with:
- somepage
( having domain-records for
www.example.com
www.example2.com)
-- someredirpage (shortcut to external URL)
set config.baseURL=http://www.example.com/index.php in setup on somepage
Try1:
Now open http://www.example.com/, klick a link that takes you to someredirpage. Works!
Try2:
Now open http://www.example2.com/, klick a link that takes you to someredirpage. Because of baseURL now that link changes to www.example.com. The page "someredirpage" is opened. However the shortcut is not followed but the content of this "page" is displayed. (Which in most cases might either be empty or might contain some testing-garbage.)
This problem is reproducable here. If I use TamperData (firefox-extension) to remove or alter the referer of my request for http://www.example.com/someredirpage.html, then that Shortcut is correctly delivered to the browser. If that referer is something in www.example.com (first click to another page, then to someredirpage) then it also works fine. Seems to be dependent on the referer.
Workaround: Set "doNotCheckReferer" in installation-tool.
Also same behaviour with 4.1.1 (final).
(issue imported from #M5470)
Updated by Christoph Lemmer over 16 years ago
got excactly the same problem with 4.1.2
Updated by Stefan Neufeind over 16 years ago
Seems to still occur with at least 4.1.5 (no newer release tested).
Updated by Charles Coleman about 15 years ago
This is STILL an issue in 4.2.6. When I set "doNotCheckReferer" in the install tool it seems to be a work around. This issue still needs to be fixed! Disabling referer is not a fix... it's a hack.
Updated by Niels Pardon over 14 years ago
I'm suffering from that misbehaviour, too. TYPO3 4.3.3 and 4.2.10.
Updated by Michael Kittlitz about 14 years ago
Same Problem over here too, with typo3 4.4.4
Updated by David Voigt almost 14 years ago
Yes, same Problem over here too, with TYPO3 4.4.4.
Updated by Steffen Gebert almost 14 years ago
Does this also occur, when you redirect example2.com to example.com? Because of duplicate content, sites shouldn't be reachable under different domains. Wouldn't this be a better workaround?
However it really seems like there's a bug somewhere.. anybody willing to dig into the "external link" generation?
Updated by Tamer Erdogan almost 14 years ago
Same Problem with TYPO3 4.4.6.
I have found the reason and I have two possible solutions for the problem.
The reason is in typo3/sysext/cms/tslib/index_ts.php
// ************************
// Check JumpUrl
// ***********************
$TSFE->setExternalJumpUrl();
$TSFE->checkJumpUrlReferer();
After the setExternalJumpUrl, the referer will be controlled and if it fails, the function checkJumpUrlReferer deletes jumpurl.
1. Solution:
It is not useful to check the referers of the jumpurl. That is why delete the line:
$TSFE->checkJumpUrlReferer(); in typo3/sysext/cms/tslib/index_ts.php.
And the function checkJumpUrlReferer can also be deleted in typo3/sysext/cms/tslib/class.tslib_fe.php, because it is only used here.
2. Solution:
Add a new configuration variable to typo3, e.g: TYPO3_CONF_VARS['SYS']['checkJumpUrlReferer'], and use this variable in the function checkJumpUrlReferer in /cms/tslib/class.tslib_fe.php instead of TYPO3_CONF_VARS['SYS']['doNotCheckReferer']. And it would be useful to have default value of this variable as 0.
I would prefer the first solution.
Updated by Mirko Schaal about 13 years ago
- Target version changed from 0 to 4.5.7
This is still open in 4.5.5
Updated by Chris topher about 13 years ago
- Target version changed from 4.5.7 to 4.5.8
Updated by Björn Pedersen almost 13 years ago
Another solution:
If the check is done, do it correctly: Use the domain record.
Updated by Björn Pedersen almost 13 years ago
Looking closer at the code, the same check is also done in checkDataSubmission for fe_tce and formmail. So this should check there, too.
Updated by Ernesto Baschny almost 13 years ago
- Target version changed from 4.5.8 to 4.5.12
Updated by
Updated by Stefan Galinski over 11 years ago
- Category deleted (
Communication) - Status changed from New to Accepted
Updated by Helmut Hummel over 11 years ago
Steffen Gebert wrote:
Does this also occur, when you redirect example2.com to example.com? Because of duplicate content, sites shouldn't be reachable under different domains. Wouldn't this be a better workaround?
I agree.
Updated by Helmut Hummel over 11 years ago
Tamer Erdogan wrote:
1. Solution:
It is not useful to check the referers of the jumpurl. That is why delete the line:
$TSFE->checkJumpUrlReferer(); in typo3/sysext/cms/tslib/index_ts.php.
I would not object this solution, since we have introduced a hash to secure the redirect for pages of type external URL.
And the function checkJumpUrlReferer can also be deleted in typo3/sysext/cms/tslib/class.tslib_fe.php, because it is only used here.
This cannot be done of course in released versions, but I would not object to delete this method in 6.1 without deprecation, but it would also not harm to have it empty and throw a deprecation message for 2 versions.
Anyone willing to push a patch to gerrit?
Updated by Stefan Kaufmann almost 11 years ago
Problem still persists in TYPO3 6.1.7, workaround still: Set "doNotCheckReferer" = 1 in installation-tool.
Updated by Patric Pesch over 10 years ago
Helmut Hummel wrote:
Steffen Gebert wrote:
Does this also occur, when you redirect example2.com to example.com? Because of duplicate content, sites shouldn't be reachable under different domains. Wouldn't this be a better workaround?
I agree.
I disagree! If a canonical url is set, there are no duplicate content problems. And there are many reasons for a multidomain setup.
But the bug does not need a multidomain setup. In my case i changed several doktypes to 3 (redirect) after a redesign. Now the problem are the previous indexed pages in google: all calls from google don't open the redirect url but an empty page (STATUS 200), cause an external referer is set.
Now I set doNotCheckReferer and the redirects work as suspected (302). But I am not sure, which side effects now exists.
+ edit +
TYPO3 6.18
Updated by Ben N over 9 years ago
Now I set doNotCheckReferer and the redirects work as suspected (302). But I am not sure, which side effects now exists.
Could anyone please comment on possible side effects if any?
Updated by Stefan Neufeind about 9 years ago
- Status changed from Accepted to Rejected
- Is Regression set to No
Shouldn't be a problem on 7 LTS anymore (external links rendered directly). And not a priority-bugfix for 6.2.