Search code examples
phpphpbb3http-referer

Encoded url output in browser! Is it http_referer or phpbb issue?

I integrated phpbb login into my website.
Steps: it goes to the login.php script to process data and come back to the referer page.
Note: this page (referer) has something like page.php?var1=x&var2=y After login process it returns as page.php?var1=x&ampvar2=y which creates an error in the browser.
I am not allowed (by phpbb) to use directly the $_server[http_referer]. Below you can see the code from login.php.
I also echo the data, as you can see, and it's ok!

$username=addslashes(strip_tags(strtolower(($_REQUEST['username']))));
$password=addslashes(strip_tags($_REQUEST['password']));

define('IN_PHPBB', true);
$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : '../../forum/';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);
include($phpbb_root_path . 'includes/bbcode.' . $phpEx);
include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
$te=$request->variable('HTTP_REFERER', '', false, \phpbb\request\request_interface::SERVER);
$user->session_begin();
$auth->acl($user->data);
$user->setup();

$result = $auth->login($username, $password, '', 1, 0);
print_r($result);
if($user->data['is_registered'])
        {
    echo '<br>//User is already logged in';
    }
else
{                    
if ($result['status'] == LOGIN_SUCCESS)
{
    echo '<br>//User was successfully logged into phpBB';
}
else
{
    echo '<br>//Users login failed';
}
}
//header('Location:'$te);
echo "location:..".$request->variable('HTTP_REFERER', '', false, \phpbb\request\request_interface::SERVER);
Solution

  • phpBBs $request class is escaping your HTTP_REFERER as part of its built in sanitisation. To temporarily enable globals you can use $request->enable_super_globals(); but you will have to do your own checks/sanitisation to make sure the values are safe. Once you have your value you can disable globals again with $request->disable_super_globals();

    Alternatively, you could use str_replace to get your ampersand character back which is safer than the above as the class will still check and sanitise for you...

    $te = str_replace('&amp','&',$request->variable('HTTP_REFERER', '', false, \phpbb\request\request_interface::SERVER));