fix #9 redirect to configured site url if the protocol or host is wrong

Status changed to merged

mentioned in commit cb0c6c7c

@alanbell

Great Alan

do you think this change will invalidate the next function in includes/http/Request.php ?

    protected function validateReferer() {
    $user=  vglobal('current_user');
	// Referer check if present - to over come 
	if (isset($_SERVER['HTTP_REFERER']) && $user) {//Check for user post authentication.
		global $site_URL;
		if ((stripos($_SERVER['HTTP_REFERER'], $site_URL) !== 0) && ($this->get('module') != 'Install')) {
			throw new Exception('Illegal request');
		}
	}
	return true;
}

I've just merged this into my current version and I'm hitting an issue.

I'm using nginx as a reverse proxy in-front of Apache running Vtiger.

nginx is setup and listening on HTTPS only, Apache is listening on HTTP port 3021.

This appears to be incompatible with this new piece of checking as I suspect the SCHEME and HOST being returned aren't then the same as in the site url.

If it's not obvious where the issue is I'll happily add some tracing and output the state of variables at the point where it fails.

The issue surfaces as a redirect loop where https://xyz.com get's redirected to https://xyz.com.

cheers,

g

Interesting point. I imagine that the scheme is wrong on that side of the proxy (it is an http request at that point.) HTTP_HOST should be right, that is the thing that the browser requested. Not entirely sure how to address this situation.