Bug Referer filter can be circumvented
- Thread starter matchu
- Start date
The slightly longer 'why' is because apparently that option (disabling referrers completely) is no longer possible with mafia post r12023.
matchu
New member
Yeah, this is the reason why most modern sites implement CSRF protection with tokens instead of referers :/ There's a more thorough option that would keep us safe while still allowing all clients: find the specific actions we need to protect (like adventuring), rewrite all pages to include the pwd token on that action, and then reject requests that don't include it. That doesn't sound incredibly feasible, though…
Laughing_Jack
New member
I might be doing something wrong, but this change appears to have borked the raid manager, as I believe that things are coming in w/o the http:// preface. Every time I try to look at dungeon stats, I see:
Request from bogus referer ignored
Path: "/clan_hobopolis.php?place=2"
Host: "127.0.0.1:60081"
Referer: "null"
Is this something that I need to look further into fixing in the manager script?
Request from bogus referer ignored
Path: "/clan_hobopolis.php?place=2"
Host: "127.0.0.1:60081"
Referer: "null"
Is this something that I need to look further into fixing in the manager script?
I think I'm just going to have to revert the disallowing of null referers. Maybe I can require a password hash for adventure.php and make sure to add it to every adventure.php link provided in a page that comes through mafia, but that will probably happen later.