WordPress and bbPress use $_SERVER[‘HTTP_HOST’] here and there and this is a bad thing if a reverse proxy is involved.
If you are using Apache mod_proxy use:
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxypreservehost
If you’re an nginx guy go with:
proxy_set_header Host $http_host;
Also check if you are using HTTP_X_FORWARDED_HOST in the correct way, in order to get the “real” IP address of the request.
Do not touch bbp_verify_nonce_request.
This does make sense, but opens up a security hole in the process. The purpose of this function is to make sure that requests go to the same place they came from, and you’re basically removing that part of it completely.
I put a filter on the $requested_url variable for 2.2; it will allow people with this type of configuration to swap out the URL contents, essentially setting your own match criteria.
What @zaerl says still holds completely true, however. Handling this at the server level should be the first thing you do.
Thanks so much for your kind advice.
Solving it on the proxy host as proposed by @zaerl is most likely the best way, however reverse proxy is running on a shared web hoster system, and I just have a web-Interface to enter the forward address. I’ll check, but maybe it’s not possible to apply the parameters suggested by @zaerl.
Maybe there is a chance HTTP_X_FORWARDED_HOST is set, then I could use
something like this(??):
$_SERVER["HTTP_X_FORWARDED_HOST"]? $_SERVER["HTTP_X_FORWARDED_HOST"] : $_SERVER["HTTP_HOST"]
(sorry if this is wrong syntax, but I don’t know PHP)
I’ll have a look at 2.2 once it ‘s released. Maybe this also helpful.
BTW: Is a nonce check not usually using a cryptographic hash (token). I wonder here you just check HTTP-Header attributes?Is this a strong check?
The result of the nonce check comes from WordPress’s function: wp_verify_nonce()
It does the token check like you’re looking for.
Was offline for a week and finally found some time to give it a try. I used the coding below to use HTTP_X_FORWARDED_HOST if it’s provided for function bhp_verify_nonce_request, so I do not skip any checks this way.
function bbp_verify_nonce_request( $action = '', $query_arg = '_wpnonce' ) {
// Get the home URL
$home_url = strtolower( home_url() );
// Build the currently requested URL
$scheme = is_ssl() ? 'https://' : 'http://';
$request_host = $_SERVER["HTTP_X_FORWARDED_HOST"]? $_SERVER["HTTP_X_FORWARDED_HOST"] : $_SERVER["HTTP_HOST"];
$requested_url = strtolower( $scheme . $request_host . $_SERVER['REQUEST_URI'] );
// Check the nonce
$result = isset( $_REQUEST[$query_arg] ) ? wp_verify_nonce( $_REQUEST[$query_arg], $action ) : false;
// Nonce check failed
if ( empty( $result ) || empty( $action ) || ( strpos( $requested_url, $home_url ) !== 0 ) )
$result = false;
// Do extra things
do_action( 'bbp_verify_nonce_request', $action, $result );
return $result;
}
