When running under Apache with 'UseCanonicalName on' and ServerName set to a value that's different than the host name typically used to access the site, the referrer checks in uc_store.module don't work correctly. The symptom of this is that the entered form information is lost if the user clicks the "go back" button on the checkout review page.

When "UseCanonicalName off", Apache sets the SERVER_NAME environment variable to whatever is supplied by the client through the http 'Host' header. Otherwise, SERVER_NAME is whatever the VirtualHost's ServerName directive is.

$_SERVER['HTTP_HOST'] is always the http 'Host' header, and this is certainly what should be used instead of $_SERVER['SERVER_NAME']

Attached patch corrects this.

Files: 
CommentFileSizeAuthor
#10 uc_store-uc_referer_check-1288114.patch952 bytesdpearceMN
FAILED: [[SimpleTest]]: [MySQL] 1,156 pass(es), 5 fail(s), and 3 exception(s).
[ View ]
#9 uc_store-uc_referer_check-1288114.patch952 bytesdpearceMN
PASSED: [[SimpleTest]]: [MySQL] 1,912 pass(es).
[ View ]
fix_uc_store_servername.patch952 bytesJohnWorkman
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch fix_uc_store_servername.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]

Comments

Perhaps we should backport #273574: Reduce HTTP_REFERER checks and remove this code entirely.

Also is HTTP_HOST reliable in web servers other than Apache?

I also found some comments suggesting HTTP_HOST may contain a port number in some circumstances, will this affect anything here?

#334419: $_SERVER['HTTP_HOST'] has port number and regex doesn't strip it.
http://stackoverflow.com/questions/4504831/serverhttp-host-contains-port...

The symptom of this is that the entered form information is lost if the user clicks the "go back" button on the checkout review page.

I had this same ubercart back button issue caused by $_SERVER['SERVER_NAME'] variable: #1128908-2: Billing Information clears after clicking back button on Review order page

I applied the patch manually since it's formatted a little weird, but swapping $_SERVER['SERVER_NAME'] with $_SERVER['HTTP_HOST'] seems to fix the problem. Thanks JohnWorkman.

longwave, thanks for looking into this. I don't know how reliable HTTP_HOST is in general.

By the way, I'm not 100% sure I have UseCanonicalName turned on, but the rest of this issue sounds like my problem.

Title:uc_referer_check(), referrer checking code doesn't work on Apache with UseCanonicalName on.uc_referer_check(), referrer checking code doesn't work on Apache with UseCanonicalName on, ubercart back button loses data

Adding keywords to title to help with SEO.

Status:Active» Reviewed & tested by the community

Just to confirm that this patch fixes the issue we were seeing, where delivery/billing details are lost if there's an error in the credit card inputs on the checkout screen.

In our case we're on Nginx + FastCGI, so I can vouch for $_SERVER['HTTP_HOST'] being present in this environment. In fact, all headers starting with HTTP_ in that array are the actual headers supplied by the client (it's the only reliable way in PHP to read these, in fact), so I think you can be pretty certain it's set. You'll see Drupal core reads $_SERVER['HTTP_HOST'] in many places (eg. bootstrap.inc) when resolving which site of a multisite install it'll use for a given domain.

Our Nginx is configured with a wildcard regexp servername in this case:

server_name ~^[^\.]+\.sandboxes\.dev\.mydomain$;

And $_SERVER['SERVER_NAME'] was set to:

["SERVER_NAME"]=>
string(56) "~^[^\.]+\.sandboxes\.dev\.mydomain$"

Status:Reviewed & tested by the community» Needs work

The last submitted patch, fix_uc_store_servername.patch, failed testing.

StatusFileSize
new952 bytes
PASSED: [[SimpleTest]]: [MySQL] 1,912 pass(es).
[ View ]

Hopefully this patch will be accepted.

StatusFileSize
new952 bytes
FAILED: [[SimpleTest]]: [MySQL] 1,156 pass(es), 5 fail(s), and 3 exception(s).
[ View ]
new952 bytes
FAILED: [[SimpleTest]]: [MySQL] 1,162 pass(es), 5 fail(s), and 3 exception(s).
[ View ]

Hopefully this patch will be accepted.

Status:Needs work» Needs review

Status:Needs review» Needs work

The last submitted patch, uc_store-uc_referer_check-1288114.patch, failed testing.

@dpearceMN: You can run the tests locally to debug your patch - just install the SimpleTest module.

Version:6.x-2.6» 6.x-2.x-dev
Status:Needs work» Needs review

Please test the patch in #273574-38: Reduce HTTP_REFERER checks which removes the referer checks and should solve this bug.

Status:Needs review» Closed (duplicate)

Closing as duplicate of #273574: Reduce HTTP_REFERER checks