Commit Graph

12 Commits

Author SHA1 Message Date
Ingo Schommer
37059eb6b3 [ss-2016-003] Hostname, IP and Protocol Spoofing through HTTP Headers 2016-02-24 11:47:16 +13:00
Damian Mooyman
a978b891e1 BUG Fix handling of empty parameter token 2015-05-28 10:13:10 +12:00
Damian Mooyman
75137dbab2 Ensure only trusted proxy servers have control over certain HTTP headers 2015-05-28 10:12:46 +12:00
Damian Mooyman
d3c7e41419 BUG using isDev or isTest query string no longer triggers basic auth 2014-07-02 11:51:51 +12:00
Ingo Schommer
ec325a3c7f API Fix HTTPS proxy header detection
Didn't use the de facto standard HTTP_X_FORWARDED_PROTO or the less standard HTTP_FRONT_END_HTTPS.
Removed the 'X-Forwarded-Proto', since PHP should prefix/underscore all HTTP headers before it hits $_SERVER.

References:
- https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
- https://drupal.org/node/1859252
- https://drupal.org/node/313145
- http://scottwb.com/blog/2013/02/06/always-on-https-with-rails-behind-an-elb/
2014-05-22 18:34:15 +12:00
Hamish Friedlander
4a7aef0e25 FIX Double slashes in ParameterConfirmationToken 2013-08-19 11:35:34 +12:00
Hamish Friedlander
041466fe02 FIX Token redirect where in IIS a / needs adding between host & url 2013-08-05 09:15:11 +12:00
Hamish Friedlander
342058742c FIX Flush on memory exhaustion and headers sent 2013-08-02 09:41:16 +12:00
Hamish Friedlander
604d9bf7dc Split Core.php into Constants.php and Core.php and adjust main.php startup
The recent flush filter fix had a problem that you couldnt set a custom
BASE_PATH in _ss_environment because that file didnt get included until
after checking the confirmation token. This patch pulls the part of Core.php
that defines BASE_PATH into a seperate file that can be included earlier
in the startup sequence so that ParameterConfirmationToken can access it.

Core.php includes Constants.php with a require_once call, so for startup
scripts that dont pull in Constants.php themselves (like cli-script.php)
no change is needed.
2013-07-22 13:52:00 +12:00
Hamish Friedlander
a312cd08e1 FIX: Ignore invalid tokens instead of throwing 403 2013-07-19 14:47:05 +12:00
Hamish Friedlander
036c36a7dd FIX: Have ParameterConfirmationToken work regardless of include path 2013-07-19 14:33:56 +12:00
Hamish Friedlander
1298d4a5bd FIX Prevent DOS by checking for env and admin on ?flush=1 (#1692) 2013-07-19 12:24:32 +12:00