Bug #23770
closed
TYPO3 core does not ignore case when comparing host part of http referrer
0%
Description
All versions of TYPO3 I looked at (4.2.x, 4.3.x, 4.4.x) do NOT ignore case when comparing the host part of the http referrer to the http host.
While the http host ist lowercase, the host part of the http referrer is supplied by the browser and thus may contain mixed case.
Example:
http host: mydomain.com
referrer: http://MyDomain.com/some/page/
host part of referrer: MyDomain.com
This leads to several checks in the typo3 core failing, because they compare referrer host part to http host by simple == instead of case insensitive compare by strcasecmp or similar.
The places that need patching, can mostly be found by grepping the source for doNotCheckReferer ($TYPO3_CONF_VARS['SYS']['doNotCheckReferer']).
I'm willing to supply a patch for this, which should be trivial.
(issue imported from #M16036)
Updated by
Updated by Felix Buenemann over 13 years ago
OK, I'll make a patch, but probably not this week cause I'm pretty busy.
Updated by Alexander Opitz over 10 years ago
- Category deleted (
Communication) - Status changed from New to Needs Feedback
- Target version deleted (
0) - Is Regression set to No
Hi,
as this issue is very old. Does the problem still exists within newer versions of TYPO3 CMS (4.5 or 6.1)?
Updated by Felix Buenemann over 10 years ago
I had a quick lock through 6.1.5 code and it still seems to be case dependent.
However I'm not sure in which case this would be an issue. It seems most of the time the referrer is compared to the TYPO3_HOST_ONLY which is extracted from the HTTP_HOST. So if I e.g. call the backend via http://Example.COM/typo3/, then both the Host and Referer headers should have the same spelling.
This could be an issue if you eg. visit http://example.com/a.hml which contains a link to http://Example.COM/b.html in which case your Referer would be lower case, while the Host contains mixed case.
So if no frontend code uses referer checks I think it is safe to ignore/close this.
Updated by Alexander Opitz over 10 years ago
- Category set to Content Rendering
- Status changed from Needs Feedback to New
- Priority changed from Should have to Could have
Updated by Mathias Schreiber over 9 years ago
- Target version set to 7.2 (Frontend)
- Sprint Focus set to On Location Sprint
Updated by Steffen Müller over 9 years ago
- Status changed from Accepted to Needs Feedback
- TYPO3 Version changed from 4.4 to 7
Can you support us with information how to reproduce this behavior? --> Point us to a browser, which does NOT cast host name / referrer to lowercase before the HTTP request is sent?
Updated by Christian Kuhn over 9 years ago
- Status changed from Needs Feedback to Closed
We discussed this again and see little relevance of this issue. At the moment we tend to close / reject it since all "casual" browser lowercase http host anyway. For low level tools like telnet / nc / curl the domain should be used correctly without bigger problems.
If you think we're on the wrong track here and still should fix this, please feel free to open a new issue with some more reasoning on why this should be done.
Updated by Anja Leichsenring over 8 years ago
- Sprint Focus deleted (
On Location Sprint)