Ingo Schommer
37059eb6b3
[ss-2016-003] Hostname, IP and Protocol Spoofing through HTTP Headers
2016-02-24 11:47:16 +13:00
Damian Mooyman
a978b891e1
BUG Fix handling of empty parameter token
2015-05-28 10:13:10 +12:00
Damian Mooyman
75137dbab2
Ensure only trusted proxy servers have control over certain HTTP headers
2015-05-28 10:12:46 +12:00
Damian Mooyman
d3c7e41419
BUG using isDev or isTest query string no longer triggers basic auth
2014-07-02 11:51:51 +12:00
Ingo Schommer
ec325a3c7f
API Fix HTTPS proxy header detection
...
Didn't use the de facto standard HTTP_X_FORWARDED_PROTO or the less standard HTTP_FRONT_END_HTTPS.
Removed the 'X-Forwarded-Proto', since PHP should prefix/underscore all HTTP headers before it hits $_SERVER.
References:
- https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
- https://drupal.org/node/1859252
- https://drupal.org/node/313145
- http://scottwb.com/blog/2013/02/06/always-on-https-with-rails-behind-an-elb/
2014-05-22 18:34:15 +12:00
Hamish Friedlander
4a7aef0e25
FIX Double slashes in ParameterConfirmationToken
2013-08-19 11:35:34 +12:00
Hamish Friedlander
041466fe02
FIX Token redirect where in IIS a / needs adding between host & url
2013-08-05 09:15:11 +12:00
Hamish Friedlander
342058742c
FIX Flush on memory exhaustion and headers sent
2013-08-02 09:41:16 +12:00
Hamish Friedlander
a1ea905ca8
FIX Nice errors and allows flush on module removal
2013-07-24 09:57:01 +12:00
Hamish Friedlander
84011aa736
FIX Only suppress fatal errors
2013-07-22 14:48:16 +12:00
Hamish Friedlander
604d9bf7dc
Split Core.php into Constants.php and Core.php and adjust main.php startup
...
The recent flush filter fix had a problem that you couldnt set a custom
BASE_PATH in _ss_environment because that file didnt get included until
after checking the confirmation token. This patch pulls the part of Core.php
that defines BASE_PATH into a seperate file that can be included earlier
in the startup sequence so that ParameterConfirmationToken can access it.
Core.php includes Constants.php with a require_once call, so for startup
scripts that dont pull in Constants.php themselves (like cli-script.php)
no change is needed.
2013-07-22 13:52:00 +12:00
Hamish Friedlander
a312cd08e1
FIX: Ignore invalid tokens instead of throwing 403
2013-07-19 14:47:05 +12:00
Hamish Friedlander
036c36a7dd
FIX: Have ParameterConfirmationToken work regardless of include path
2013-07-19 14:33:56 +12:00
Hamish Friedlander
1298d4a5bd
FIX Prevent DOS by checking for env and admin on ?flush=1 ( #1692 )
2013-07-19 12:24:32 +12:00