Merge pull request #278 from kijin/pr/fix-csrf-false-positive

#275 기본 URL 변경에 따른 오류 해소
2026-01-04 01:01:41 +09:00 · 2016-02-16 14:34:53 +09:00 · 2016-02-16 14:34:53 +09:00 · be83a34b1e
commit be83a34b1e
parent e1341584d3 19469a7b0d
2 changed files with 41 additions and 25 deletions
--- a/common/legacy.php
+++ b/common/legacy.php
@ -1183,42 +1183,58 @@ function requirePear()
 */
 function checkCSRF()
 {
-	if($_SERVER['REQUEST_METHOD'] != 'POST')
+	// If this is not a POST request, FAIL.
+	if ($_SERVER['REQUEST_METHOD'] != 'POST')
 	{
-		return FALSE;
+		return false;
 	}
 	
+	// Get the referer. If the referer is empty, PASS.
+	$referer = strval($_SERVER['HTTP_REFERER']);
+	if ($referer === '')
+	{
+		return true;
+	}
+	if (strpos($referer, 'xn--') !== false)
+	{
+		$referer = Context::decodeIdna($referer);
+	}
+	$referer_host = parse_url($referer, PHP_URL_HOST);
+	
+	// If the referer is the same domain as the current host, PASS.
+	$current_host = $_SERVER['HTTP_HOST'];
+	if (strpos($current_host, 'xn--') !== false)
+	{
+		$current_host = Context::decodeIdna($current_host);
+	}
+	if ($referer_host === $current_host)
+	{
+		return true;
+	}
+	
+	// If the referer is the same domain as the default URL, PASS.
 	$default_url = Context::getDefaultUrl();
-	$referer = $_SERVER["HTTP_REFERER"];
-
-	if(strpos($default_url, 'xn--') !== FALSE && strpos($referer, 'xn--') === FALSE)
+	if (strpos($default_url, 'xn--') !== false)
 	{
-		$referer = Context::encodeIdna($referer);
+		$default_url = Context::decodeIdna($default_url);
+	}
+	if ($referer_host === parse_url($default_url, PHP_URL_HOST))
+	{
+		return true;
 	}
 	
-	$default_url = parse_url($default_url);
-	$referer = parse_url($referer);
-
+	// Check if we have a virtual site with a matching domain.
 	$oModuleModel = getModel('module');
 	$siteModuleInfo = $oModuleModel->getDefaultMid();
-
-	if($siteModuleInfo->site_srl == 0)
+	$virtualSiteInfo = $oModuleModel->getSiteInfo($siteModuleInfo->site_srl);
+	if (strcasecmp($virtualSiteInfo->domain, Context::get('vid')) && stristr($virtualSiteInfo->domain, $referer_host))
 	{
-		if($default_url['host'] !== $referer['host'])
-		{
-			return FALSE;
-		}
+		return true;
 	}
 	else
 	{
-		$virtualSiteInfo = $oModuleModel->getSiteInfo($siteModuleInfo->site_srl);
-		if(strtolower($virtualSiteInfo->domain) != strtolower(Context::get('vid')) && !strstr(strtolower($virtualSiteInfo->domain), strtolower($referer['host'])))
-		{
-			return FALSE;
+		return false;
 	}
-	}
-
-	return TRUE;
 }

 /**
--- a/modules/admin/admin.admin.controller.php
+++ b/modules/admin/admin.admin.controller.php
@ -690,7 +690,7 @@ class adminAdminController extends admin
 		Rhymix\Framework\Config::save();
 		
 		$this->setMessage('success_updated');
-		$this->setRedirectUrl(Context::get('success_return_url') ?: getNotEncodedUrl('', 'act', 'dispAdminConfigAdvanced'));
+		$this->setRedirectUrl(Context::get('success_return_url') ?: $default_url . 'index.php?act=dispAdminConfigAdvanced');
 	}
 	
 	/**