Posted by JohnWorkman on September 22, 2011 at 9:36pm
7 followers
| Project: | Ubercart |
| Version: | 6.x-2.x-dev |
| Component: | Other |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (duplicate) |
Issue Summary
When running under Apache with 'UseCanonicalName on' and ServerName set to a value that's different than the host name typically used to access the site, the referrer checks in uc_store.module don't work correctly. The symptom of this is that the entered form information is lost if the user clicks the "go back" button on the checkout review page.
When "UseCanonicalName off", Apache sets the SERVER_NAME environment variable to whatever is supplied by the client through the http 'Host' header. Otherwise, SERVER_NAME is whatever the VirtualHost's ServerName directive is.
$_SERVER['HTTP_HOST'] is always the http 'Host' header, and this is certainly what should be used instead of $_SERVER['SERVER_NAME']
Attached patch corrects this.
| Attachment | Size | Status | Test result | Operations |
|---|---|---|---|---|
| fix_uc_store_servername.patch | 952 bytes | Idle | FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch fix_uc_store_servername.patch. Unable to apply patch. See the log in the details link for more information. | View details | Re-test |
Comments
#1
Perhaps we should backport #273574: Reduce HTTP_REFERER checks and remove this code entirely.
#2
Also is HTTP_HOST reliable in web servers other than Apache?
#3
I also found some comments suggesting HTTP_HOST may contain a port number in some circumstances, will this affect anything here?
#334419: $_SERVER['HTTP_HOST'] has port number and regex doesn't strip it.
http://stackoverflow.com/questions/4504831/serverhttp-host-contains-port...
#4
I had this same ubercart back button issue caused by $_SERVER['SERVER_NAME'] variable: #1128908-2: Billing Information clears after clicking back button on Review order page
I applied the patch manually since it's formatted a little weird, but swapping $_SERVER['SERVER_NAME'] with $_SERVER['HTTP_HOST'] seems to fix the problem. Thanks JohnWorkman.
longwave, thanks for looking into this. I don't know how reliable HTTP_HOST is in general.
#5
By the way, I'm not 100% sure I have UseCanonicalName turned on, but the rest of this issue sounds like my problem.
#6
Adding keywords to title to help with SEO.
#7
Just to confirm that this patch fixes the issue we were seeing, where delivery/billing details are lost if there's an error in the credit card inputs on the checkout screen.
In our case we're on Nginx + FastCGI, so I can vouch for $_SERVER['HTTP_HOST'] being present in this environment. In fact, all headers starting with HTTP_ in that array are the actual headers supplied by the client (it's the only reliable way in PHP to read these, in fact), so I think you can be pretty certain it's set. You'll see Drupal core reads $_SERVER['HTTP_HOST'] in many places (eg. bootstrap.inc) when resolving which site of a multisite install it'll use for a given domain.
Our Nginx is configured with a wildcard regexp servername in this case:
server_name ~^[^\.]+\.sandboxes\.dev\.mydomain$;
And $_SERVER['SERVER_NAME'] was set to:
["SERVER_NAME"]=>
string(56) "~^[^\.]+\.sandboxes\.dev\.mydomain$"
#8
The last submitted patch, fix_uc_store_servername.patch, failed testing.
#9
Hopefully this patch will be accepted.
#10
Hopefully this patch will be accepted.
#11
#12
The last submitted patch, uc_store-uc_referer_check-1288114.patch, failed testing.
#13
@dpearceMN: You can run the tests locally to debug your patch - just install the SimpleTest module.
#14
#15
#9: uc_store-uc_referer_check-1288114.patch queued for re-testing.
#16
Please test the patch in #273574-38: Reduce HTTP_REFERER checks which removes the referer checks and should solve this bug.
#17
Closing as duplicate of #273574: Reduce HTTP_REFERER checks