When running under Apache with 'UseCanonicalName on' and ServerName set to a value that's different than the host name typically used to access the site, the referrer checks in uc_store.module don't work correctly. The symptom of this is that the entered form information is lost if the user clicks the "go back" button on the checkout review page.
When "UseCanonicalName off", Apache sets the SERVER_NAME environment variable to whatever is supplied by the client through the http 'Host' header. Otherwise, SERVER_NAME is whatever the VirtualHost's ServerName directive is.
$_SERVER['HTTP_HOST'] is always the http 'Host' header, and this is certainly what should be used instead of $_SERVER['SERVER_NAME']
Attached patch corrects this.
Comment | File | Size | Author |
---|---|---|---|
#10 | uc_store-uc_referer_check-1288114.patch | 952 bytes | dpearcefl |
#9 | uc_store-uc_referer_check-1288114.patch | 952 bytes | dpearcefl |
fix_uc_store_servername.patch | 952 bytes | JohnWorkman | |
Comments
Comment #1
longwavePerhaps we should backport #273574: Reduce HTTP_REFERER checks and remove this code entirely.
Comment #2
longwaveAlso is HTTP_HOST reliable in web servers other than Apache?
Comment #3
longwaveI also found some comments suggesting HTTP_HOST may contain a port number in some circumstances, will this affect anything here?
#334419: $_SERVER['HTTP_HOST'] has port number and regex doesn't strip it.
http://stackoverflow.com/questions/4504831/serverhttp-host-contains-port...
Comment #4
ericbroder CreditAttribution: ericbroder commentedI had this same ubercart back button issue caused by $_SERVER['SERVER_NAME'] variable: #1128908-2: Billing Information clears after clicking back button on Review order page
I applied the patch manually since it's formatted a little weird, but swapping $_SERVER['SERVER_NAME'] with $_SERVER['HTTP_HOST'] seems to fix the problem. Thanks JohnWorkman.
longwave, thanks for looking into this. I don't know how reliable HTTP_HOST is in general.
Comment #5
ericbroder CreditAttribution: ericbroder commentedBy the way, I'm not 100% sure I have UseCanonicalName turned on, but the rest of this issue sounds like my problem.
Comment #6
ericbroder CreditAttribution: ericbroder commentedAdding keywords to title to help with SEO.
Comment #7
neilnz CreditAttribution: neilnz commentedJust to confirm that this patch fixes the issue we were seeing, where delivery/billing details are lost if there's an error in the credit card inputs on the checkout screen.
In our case we're on Nginx + FastCGI, so I can vouch for $_SERVER['HTTP_HOST'] being present in this environment. In fact, all headers starting with HTTP_ in that array are the actual headers supplied by the client (it's the only reliable way in PHP to read these, in fact), so I think you can be pretty certain it's set. You'll see Drupal core reads $_SERVER['HTTP_HOST'] in many places (eg. bootstrap.inc) when resolving which site of a multisite install it'll use for a given domain.
Our Nginx is configured with a wildcard regexp servername in this case:
And $_SERVER['SERVER_NAME'] was set to:
Comment #9
dpearcefl CreditAttribution: dpearcefl commentedHopefully this patch will be accepted.
Comment #10
dpearcefl CreditAttribution: dpearcefl commentedHopefully this patch will be accepted.
Comment #11
dpearcefl CreditAttribution: dpearcefl commentedComment #13
TR CreditAttribution: TR commented@dpearceMN: You can run the tests locally to debug your patch - just install the SimpleTest module.
Comment #14
longwaveComment #15
longwave#9: uc_store-uc_referer_check-1288114.patch queued for re-testing.
Comment #16
longwavePlease test the patch in #273574-38: Reduce HTTP_REFERER checks which removes the referer checks and should solve this bug.
Comment #17
longwaveClosing as duplicate of #273574: Reduce HTTP_REFERER checks