manilaSuite.referer.checkNew

The referer check for "trojan horse" does not cater to browsers that leave the username and password (iCab 1.3 was one, and Palm WAP browsers are reputedly the same). Watch for that case and strip them out before checking.

on checkNew (urlName="discussNewThread", postURLName="discussPostEditedMessage")

«Make sure the referer is from a new-something page. Or the page where that posts to

unaltered lines omitted

manilaSuite.referer.mustNotBeEmpty ()

local (pta = html.getPageTableAddress ())

local (referer = pta^.requestHeaders.referer)

referer = string.popSuffix (referer, '$')

referer = string.popSuffix (referer, '?') //PBS 07/13/00: strip search args as well as path args

referer = string.popTrailing (referer, '/') //PBS 07/16/01

local (expectedReferer = pta^.urls^.[urlName])

expectedReferer = string.popSuffix (expectedReferer, '$')

expectedReferer = string.popTrailing (expectedReferer, '/') //PBS 07/16/01

«if not (string.lower (expectedReferer) beginsWith string.lower (referer))

unaltered lines omitted

«return (true)

case string.lower(referer) //04.06.23, 14:51:06 by DAB

string.lower(expectedReferer)

string.lower(pta^.urls^.[postURLName])

return true

log.add("checkNew:" + referer + "!=" + expectedReferer, "referer")

scriptError (manilaSuite.getString ("admin.refererDoesntMatchError"))

Relative to Frontier version 9.7b10