From 9c0f063b2c25a1f90b37d12857363b24742f26cf Mon Sep 17 00:00:00 2001 From: skodak Date: Mon, 4 Dec 2006 09:13:51 +0000 Subject: [PATCH] MDL-7737 Remove form referer checks - $CFG->secureforms optional checking --- admin/settings/security.php | 1 - lib/db/upgrade.php | 4 +++ lib/weblib.php | 57 +++---------------------------------- version.php | 2 +- 4 files changed, 9 insertions(+), 55 deletions(-) diff --git a/admin/settings/security.php b/admin/settings/security.php index 3d0d25044f..ae88bbe5be 100644 --- a/admin/settings/security.php +++ b/admin/settings/security.php @@ -44,7 +44,6 @@ $ADMIN->add('security', $temp); // "httpsecurity" settingpage $temp = new admin_settingpage('httpsecurity', get_string('httpsecurity', 'admin')); $temp->add(new admin_setting_configcheckbox('loginhttps', get_string('loginhttps', 'admin'), get_string('configloginhttps', 'admin'), 0)); -$temp->add(new admin_setting_configcheckbox('secureforms', get_string('secureforms', 'admin'), get_string('configsecureforms', 'admin'), 0)); $ADMIN->add('security', $temp); diff --git a/lib/db/upgrade.php b/lib/db/upgrade.php index 9747d18945..87ede9c1fc 100644 --- a/lib/db/upgrade.php +++ b/lib/db/upgrade.php @@ -118,6 +118,10 @@ function xmldb_main_upgrade($oldversion=0) { } } + if ($oldversion < 2006120400) { /// Remove secureforms config setting + execute_sql("DELETE FROM {$CFG->prefix}config where name='secureforms' ;", true); + } + return $result; } diff --git a/lib/weblib.php b/lib/weblib.php index 07add8c0f0..8f755acb5e 100644 --- a/lib/weblib.php +++ b/lib/weblib.php @@ -268,43 +268,6 @@ function qualified_me() { return $url_prefix . me(); } -/** - * Determine if a web referer is valid - * - * Returns true if the referer is the same as the goodreferer. If - * the referer to test is not specified, use {@link qualified_me()}. - * If the admin has not set secure forms ($CFG->secureforms) then - * this function returns true regardless of a match. - * - * @uses $CFG - * @param string $goodreferer the url to compare to referer - * @return boolean - */ -function match_referer($goodreferer = '') { - global $CFG; - - if (empty($CFG->secureforms)) { // Don't bother checking referer - return true; - } - - if ($goodreferer == 'nomatch') { // Don't bother checking referer - return true; - } - - if (empty($goodreferer)) { - $goodreferer = qualified_me(); - // try to remove everything after ? because POST url may contain GET parameters (SID rewrite, etc.) - $pos = strpos($goodreferer, '?'); - if ($pos !== FALSE) { - $goodreferer = substr($goodreferer, 0, $pos); - } - } - - $referer = get_referer(); - - return (($referer == $goodreferer) or ($referer == $CFG->wwwroot .'/') or ($referer == $CFG->wwwroot .'/index.php')); -} - /** * Determine if there is data waiting to be processed from a form * @@ -313,29 +276,17 @@ function match_referer($goodreferer = '') { * This object can be used in foreach loops without * casting because it's cast to (array) automatically * - * Checks that submitted POST data exists, and also - * checks the referer against the given url (it uses - * the current page if none was specified. + * Checks that submitted POST data exists and returns it as object. * - * @uses $CFG - * @param string $url the url to compare to referer for secure forms - * @return boolean + * @param string $url not used anymore + * @return mixed false or object */ function data_submitted($url='') { - - global $CFG; - if (empty($_POST)) { return false; - } else { - if (match_referer($url)) { - return (object)$_POST; - } else { - debugging('The form did not come from this page! (referer = '. get_referer() .')'); - return false; - } + return (object)$_POST; } } diff --git a/version.php b/version.php index 78ca74d1dd..e7b4ee608c 100644 --- a/version.php +++ b/version.php @@ -6,7 +6,7 @@ // This is compared against the values stored in the database to determine // whether upgrades should be performed (see lib/db/*.php) - $version = 2006120300; // YYYYMMDD = date + $version = 2006120400; // YYYYMMDD = date // XY = increments within a single day $release = '1.8 dev'; // Human-friendly version name -- 2.39.5