qtranslate / qtranslate-xt

qTranslate-XT (eXTended) - reviving qTranslate-X multilingual plugin for WordPress. A new community-driven plugin soon. Built-in modules for WooCommerce, ACF, slugs and others.
GNU General Public License v2.0
554 stars 105 forks source link

PHP warning qtranslate_core.php on line 183 #1202

Closed Hr0bar closed 2 years ago

Hr0bar commented 2 years ago

Hi, using latest release, some bot/vulnerability scanner/scraper request triggered this:

PHP Warning: Undefined array key "host" in /opt/bitnami/wordpress/wp-content/plugins/qtranslate-xt/qtranslate_core.php on line 183', referer: /gbook.html

PHP 8.0.x

access log: 143.92.32.144 - - [16/Jul/2022:00:41:15 +0000] "GET /gbook.html HTTP/2.0" 404 126879

thanks for checking

herrvigg commented 2 years ago

Looks like a special case, possibly setting a wrong referrer. The host is derived from the origin, which should always be set. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer

Do you know more precisely how this happens? Can it be reproduced?

Hr0bar commented 2 years ago

Hi, no I dont know how to reproduce it. This was 100% some bot/spambot/vulnerability scanner hacker request and not a regular request.

So I imagine its very unpredictable. Likely a custom curl request, not a browser issued request.

On Sun, Aug 7, 2022, 17:37 Herr Vigg @.***> wrote:

Looks like a special case, possibly setting a wrong referrer. The host is derived from the origin, which should always be set. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer

Do you know more precisely how this happens? Can it be reproduced?

— Reply to this email directly, view it on GitHub https://github.com/qtranslate/qtranslate-xt/issues/1202#issuecomment-1207433041, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABTNGZS7IZRE7IJNKY4OAITVX7J3HANCNFSM53XP6DUQ . You are receiving this because you authored the thread.Message ID: @.***>

herrvigg commented 2 years ago

OK added a new check, it doesn't cost much and it will be more robust.

herrvigg commented 2 years ago

Fix released in 3.12.1.