When running under Apache with 'UseCanonicalName on' and ServerName set to a value that's different than the host name typically used to access the site, the referrer checks in uc_store.module don't work correctly. The symptom of this is that the entered form information is lost if the user clicks the "go back" button on the checkout review page.

When "UseCanonicalName off", Apache sets the SERVER_NAME environment variable to whatever is supplied by the client through the http 'Host' header. Otherwise, SERVER_NAME is whatever the VirtualHost's ServerName directive is.

$_SERVER['HTTP_HOST'] is always the http 'Host' header, and this is certainly what should be used instead of $_SERVER['SERVER_NAME']

Attached patch corrects this.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

longwave’s picture

Perhaps we should backport #273574: Reduce HTTP_REFERER checks and remove this code entirely.

longwave’s picture

Also is HTTP_HOST reliable in web servers other than Apache?

longwave’s picture

I also found some comments suggesting HTTP_HOST may contain a port number in some circumstances, will this affect anything here?

#334419: $_SERVER['HTTP_HOST'] has port number and regex doesn't strip it.
http://stackoverflow.com/questions/4504831/serverhttp-host-contains-port...

ericbroder’s picture

The symptom of this is that the entered form information is lost if the user clicks the "go back" button on the checkout review page.

I had this same ubercart back button issue caused by $_SERVER['SERVER_NAME'] variable: #1128908-2: Billing Information clears after clicking back button on Review order page

I applied the patch manually since it's formatted a little weird, but swapping $_SERVER['SERVER_NAME'] with $_SERVER['HTTP_HOST'] seems to fix the problem. Thanks JohnWorkman.

longwave, thanks for looking into this. I don't know how reliable HTTP_HOST is in general.

ericbroder’s picture

By the way, I'm not 100% sure I have UseCanonicalName turned on, but the rest of this issue sounds like my problem.

ericbroder’s picture

Title: uc_referer_check(), referrer checking code doesn't work on Apache with UseCanonicalName on. » uc_referer_check(), referrer checking code doesn't work on Apache with UseCanonicalName on, ubercart back button loses data

Adding keywords to title to help with SEO.

neilnz’s picture

Status: Active » Reviewed & tested by the community

Just to confirm that this patch fixes the issue we were seeing, where delivery/billing details are lost if there's an error in the credit card inputs on the checkout screen.

In our case we're on Nginx + FastCGI, so I can vouch for $_SERVER['HTTP_HOST'] being present in this environment. In fact, all headers starting with HTTP_ in that array are the actual headers supplied by the client (it's the only reliable way in PHP to read these, in fact), so I think you can be pretty certain it's set. You'll see Drupal core reads $_SERVER['HTTP_HOST'] in many places (eg. bootstrap.inc) when resolving which site of a multisite install it'll use for a given domain.

Our Nginx is configured with a wildcard regexp servername in this case:

server_name ~^[^\.]+\.sandboxes\.dev\.mydomain$;

And $_SERVER['SERVER_NAME'] was set to:

  ["SERVER_NAME"]=>
  string(56) "~^[^\.]+\.sandboxes\.dev\.mydomain$"

Status: Reviewed & tested by the community » Needs work

The last submitted patch, fix_uc_store_servername.patch, failed testing.

dpearcefl’s picture

Hopefully this patch will be accepted.

dpearcefl’s picture

Hopefully this patch will be accepted.

dpearcefl’s picture

Status: Needs work » Needs review

Status: Needs review » Needs work

The last submitted patch, uc_store-uc_referer_check-1288114.patch, failed testing.

TR’s picture

@dpearceMN: You can run the tests locally to debug your patch - just install the SimpleTest module.

longwave’s picture

Version: 6.x-2.6 » 6.x-2.x-dev
Status: Needs work » Needs review
longwave’s picture

longwave’s picture

Please test the patch in #273574-38: Reduce HTTP_REFERER checks which removes the referer checks and should solve this bug.

longwave’s picture

Status: Needs review » Closed (duplicate)

Closing as duplicate of #273574: Reduce HTTP_REFERER checks