MioVisman / FluxBB_by_Visman

My modification of FluxBB
GNU General Public License v2.0
79 stars 13 forks source link

it may a bug of the rev.85 #43

Closed tanziran closed 2 months ago

tanziran commented 2 months ago

Often: Wrong csrf_hash. You were directed to this page from an unauthorized source. It need to refresh and resubmit before you can submit. This bug is likely to occur on anything that is committed. My deployment server is a web host. The environment is php 7.3.31 and MySQL Improved (InnoDB) 5.7.44. I'm also prompted to clear all .php files in /cache.

MioVisman commented 2 months ago

Hello! Most likely, the IP address of the form sender changed between opening and sending it.

https://github.com/MioVisman/FluxBB_by_Visman/issues?q=csrf_hash

tanziran commented 2 months ago

Here's the problem: I used Cloudflare's DNS traffic proxy, and I didn't see the IP change when I turned the proxy off, but there was a second problem.Bad HTTP_REFERER. If you have moved these forums from one location to another or switched domains, you need to update the Base URL manually in the database (look for o_base_url in the config table) and then clear the cache by deleting all .php files in the /cache directory.

tanziran commented 2 months ago

Here's the problem: I used Cloudflare's DNS traffic proxy, and when I turned the proxy off, the first error would be resolved, which was the IP change error.

MioVisman commented 2 months ago

The csrf_hash() function is responsible for generating csrf_hash and subsequently checking it: https://github.com/MioVisman/FluxBB_by_Visman/blob/master/include/functions.php#L1178-L1193

The result of its work depends on:

  1. $pun_user - current user in the engine.
  2. $script - the name of the file from which the call is made. If not specified, the name is calculated from the data received from the server: basename($_SERVER['SCRIPT_NAME']).
  3. ip - result from get_remote_address() function.
  4. protocol - result from get_current_protocol() function.

Add before the line

    return $arr[$key];

line with logging code to the error file

error_log('script=' . $script . '; ip='. $ip  . '; userId=' . $user['id'] . '; protocol=' . get_current_protocol() );

After that, test sending forms and look at the server error log to see how the log lines differ.

tanziran commented 2 months ago

Okay, it suddenly doesn't have this problem anymore, I didn't move any settings. Thank you for your patience, though.