Removed referer_check option (#6440)

6 years ago · 796e5a17e6
parent d868297a0a
commit 796e5a17e6
5 changed files with 2 additions and 23 deletions
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================

+- Removed referer_check option (#6440)
 - Update to TinyMCE 4.8.2
 - Plugin API: Added 'raise_error' hook (#6199)
 - Managesieve: Added support for 'editheader' extension - RFC5293 (#5954)
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@ -497,9 +497,6 @@ $config['trusted_host_patterns'] = array();
 // check client IP in session authorization
 $config['ip_check'] = false;

-// check referer of incoming requests
-$config['referer_check'] = false;
-
 // X-Frame-Options HTTP header value sent to prevent from Clickjacking.
 // Possible values: sameorigin|deny|allow-from <uri>.
 // Set to false in order to disable sending the header.
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@ -926,12 +926,6 @@ class rcmail extends rcube
            $error = array('code' => 403, 'message' => "Request security check failed");
            self::raise_error($error, false, true);
        }
-
-        // check referer if configured
-        if ($this->config->get('referer_check') && !rcube_utils::check_referer()) {
-            $error = array('code' => 403, 'message' => "Referer check failed");
-            self::raise_error($error, true, true);
-        }
    }

    /**
--- a/program/include/rcmail_install.php
+++ b/program/include/rcmail_install.php
@ -33,7 +33,7 @@ class rcmail_install
    public $bool_config_props = array();

    public $local_config    = array('db_dsnw', 'default_host', 'support_url', 'des_key', 'plugins');
-    public $obsolete_config = array('db_backend', 'db_max_length', 'double_auth', 'preview_pane', 'debug_level');
+    public $obsolete_config = array('db_backend', 'db_max_length', 'double_auth', 'preview_pane', 'debug_level', 'referer_check');
    public $replaced_config = array(
        'skin_path'            => 'skin',
        'locale_string'        => 'language',
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@ -152,19 +152,6 @@ class rcube_utils
        return filter_var($ip, FILTER_VALIDATE_IP) !== false;
    }

-    /**
-     * Check whether the HTTP referer matches the current request
-     *
-     * @return boolean True if referer is the same host+path, false if not
-     */
-    public static function check_referer()
-    {
-        $uri     = parse_url($_SERVER['REQUEST_URI']);
-        $referer = parse_url(self::request_header('Referer'));
-
-        return $referer['host'] == self::request_header('Host') && $referer['path'] == $uri['path'];
-    }
-
    /**
     * Replacing specials characters to a specific encoding type
     *