MioVisman / FluxBB_by_Visman

My modification of FluxBB
GNU General Public License v2.0
79 stars 13 forks source link

Bad HTTP_REFERER on saving rules on new install #15

Closed ghost closed 3 years ago

ghost commented 3 years ago

Bad HTTP_REFERER. If you have moved these forums from one location to another or switched domains, you need to update the Base URL manually in the database (look for o_base_url in the config table) and then clear the cache by deleting all .php files in the /cache directory.

I had freshly installed your copy of FluxBB R.82 and only changed the times zone and wrote some basic rules. The above was the error I received.

MioVisman commented 3 years ago

There are two possible reasons for this message:

  1. While editing the form, your ip address may have changed.
  2. On the Administration -> Options page, you have an incorrect forum address specified in the "Base URL" field. For example, www.example.com and example.com are different domains.

If the reason is in the "Base URL", then open the /cache/cache_config.php file on the server, set the correct value of the 'o_base_url' element and save, then go to Administration -> Options and set the correct value and save.

MioVisman commented 3 years ago

It seems I was wrong. There may be a third reason:

  1. Сhanged the http <-> https protocol. For example, a form is opened using the https protocol, and its action is specified in the http protocol.

This problem can occur due to incorrect server configuration. For example, if apache is hosted behind nginx, and nginx does not pass the correct value to $_SERVER['HTTPS'].

See get_current_protocol() function https://github.com/MioVisman/FluxBB_by_Visman/blob/master/include/functions.php#L202

P.S. And it seems the second reason is not relevant, judging by the function csrf_hash() https://github.com/MioVisman/FluxBB_by_Visman/blob/master/include/functions.php#L1166 My brain is still sleeping.

ghost commented 3 years ago

The site is running on a fresh install of Ubuntu 20.04 with Plesk. It does use a mix of Apache with Nginx. The latest error I received when posting was:

Bad csrf_hash. You were referred to this page from an unauthorized source.

I tried posting again, and it went through. I am wondering if there is something about the default server config that only impacts FluxBB. I have phpBB, WordPress, and WoltLab Burning Board, all running on the same server and domain.

MioVisman commented 3 years ago

I am wondering if there is something about the default server config that only impacts FluxBB. There is a different approach in the engines themselves.

In the original FluxBB, to check the data received from the user, the referrer sent by the user's browser is checked. Referrer is easy to fake .

My FluxBB uses a csrf hash which is generated by a function: https://github.com/MioVisman/FluxBB_by_Visman/blob/master/include/functions.php#L1166 In this case, csrf hash depends on:

Changing the value of any of these items between the opening of the form and its attempt to save will cause an error:

Bad csrf_hash. You were referred to this page from an unauthorized source.

ghost commented 3 years ago

That would explain a few things. I was using Cloudflare, and my IP address would change.