After turning the debug mode on it appeared that in the method validate_referer(...) in session.php:
- "$config" was unknown (global statement should be added)
- the key "force_server" was unknown in "$config" (should be "force_server_vars")
I repaired these bugs; here is the validate_referer(...) method of seesion.php as I 'm using now :
- Code: Select all
/**
* Check if the request originated from the same page.
* @param bool $check_script_path If true, the path will be checked as well
*/
function validate_referer($check_script_path = false)
{
global $config;
// no referer - nothing to validate, user's fault for turning it off (we only check on POST; so meta can't be the reason)
if (empty($this->referer) || empty($this->host))
{
return true;
}
$host = htmlspecialchars($this->host);
$ref = substr($this->referer, strpos($this->referer, '://') + 3);
if (!(stripos($ref, $host) === 0) && (!$config['force_server_vars'] || !(stripos($ref, $config['server_name']) === 0)))
{
return false;
}
else if ($check_script_path && rtrim($this->page['root_script_path'], '/') !== '')
{
$ref = substr($ref, strlen($host));
$server_port = (!empty($_SERVER['SERVER_PORT'])) ? (int) $_SERVER['SERVER_PORT'] : (int) getenv('SERVER_PORT');
if ($server_port !== 80 && $server_port !== 443 && stripos($ref, ":$server_port") === 0)
{
$ref = substr($ref, strlen(":$server_port"));
}
if (!(stripos(rtrim($ref, '/'), rtrim($this->page['root_script_path'], '/')) === 0))
{
return false;
}
}
return true;
}
