Is it kosher to directly access and check the http referer

  • I could not specifically find any other way to access what page I was on. This particular WooCommerce hook loads before get_current_screen or is_page() is available to me during the form submission, and I needed a way to tell my function exactly where I was in the dashboard for one specific form submission.

    The plugin that I was applying this fix to was built by someone else, and I was trying to tie it into my theme that I built for a client. The plugin developer does not supply any kind of hooks or filters whatsoever, sadly. They rely on their own back-and-forth of classes and methods.

    With that in mind, is it kosher to get the value of $_POST[‘_wp_http_referer’] and check a specific value against it in the following way:

    function my_function(){
	$referer = '[specific http referer that you're lookin for here]';
	if($_POST['_wp_http_referer'] == $referer){
		//Do Stuff here
	}
}
add_action('woocommerce_checkout_update_order_meta','my_function');

    Does this create any kind of security concern?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator bcworkz

    (@bcworkz)

    Nearly any data coming from the client must be treated as suspect. The value in $_POST[‘_wp_http_referer’] can easily be spoofed. Even the value in $_SERVER[‘HTTP_REFERER’] can be spoofed. AFAIK, the only reliable value from a client is in $_SERVER[‘REMOTE_ADDR’], the HTTP connection’s remote IP address. While the IP is certainly true due to handshaking protocols, it may belong to a proxy or load balancer and not the user’s true IP address.

    If spoofing such a value gains the user no security advantage, then it’s OK to use the value. For example, if the referrer is anything but the expected, normal value, the process dies, then the security implications are minimal. That is provided the expected, normal value does not confer any special privilege, and any such privileges are independently confirmed.

    Another example. If the referrer only dictates what sort of non-privileged content the user sees, such as what language the text is in, then it is safe to use the value. Never use such a value to confer any special privilege. It should only be used to decide inconsequential choices.

    If you must be sure a request comes from a particular page or form, use a security nonce to secure the transaction.

    Disclaimer: I am not a security expert. I may have inadvertently neglected to point out other related security concerns. Take what I have presented with appropriate caution. Confirm what I have said through independent sources for full assurance.

    Thread Starter Endlyss

    (@akel-res)

    Thanks for the reply, bcworkz!

    I apologize for taking so long to get back to you about this. I had been working on other aspects of the project in the mean time.

    That makes perfect sense to me. I really appreciate the indepth response.

    This particular action attaches meta data to a woocommerce order item. Is that considered a “special privilege”?

    And in practice, is there any harm in verifying a nonce no matter what? For example, if in situations like this, where I am questioning whether or not I should, would it be bad if I just programmed a nonce-check anyway, just in case?

    Moderator bcworkz

    (@bcworkz)

    No worries on response times, I’m usually around and it’s not slowing down my project ??

    If the meta data is determined by code, it’s not coming directly from the user’s input, then that’s fine. If you are adding meta data provided by the user, it could be a malicious SQL injection attempt. This doesn’t mean you should not use referrer values, but the received data should be treated with great caution and properly validated and sanitized.

    IMO, any form input should include a nonce field that is verified when the form data is submitted. It doesn’t stop all malicious attacks, but it prevents the worst kind that hammer your site with bogus post data that didn’t even come from your form. At least with a nonce, they have to get the form, fill in the fields and submit it.

    FWIW, I’m fairly sure WC orders already include a nonce. To verify it independently from WC though, you would need to know how WC created the nonce in the first place. Also be aware that a WP nonce is not a true use once nonce. It is a use as many times as you want for 24 hours security token. This is OK for most applications, but for truly critical applications, a true nonce may be warranted.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Is it kosher to directly access and check the http referer’ is closed to new replies.