Bad referrer words are assessed against $http_referer, which is fine if the list is meant to be checked against referrer URLs, but it doesn't check against the requested URL or it's query string.
This is a little confusing in terms of the example give with mb_ereg_replace.
Perhaps bad-request-words.conf can be a new file that gets mapped against $request_uri?
To Reproduce
Added to bad-referrer-words.conf:
"~*(?:\b|)(wp-)?config\.php(?:\b|)" 1;
Expected behavior
Expected any requested URL that contains wp-config.php in the query string to be blocked.
Describe the bug
Bad referrer words are assessed against $http_referer, which is fine if the list is meant to be checked against referrer URLs, but it doesn't check against the requested URL or it's query string.
This is a little confusing in terms of the example give with mb_ereg_replace.
Perhaps bad-request-words.conf can be a new file that gets mapped against $request_uri?
To Reproduce
Added to bad-referrer-words.conf:
"~*(?:\b|)(wp-)?config\.php(?:\b|)" 1;Expected behavior
Expected any requested URL that contains wp-config.php in the query string to be blocked.