From 29bfd07727c92d5b0f03bc01ffd397432dd9e694 Mon Sep 17 00:00:00 2001
From: Robert Sesek <rsesek@bluestatic.org>
Date: Thu, 31 Mar 2005 22:07:51 +0000
Subject: [PATCH] We now hide the path when we use ISSO::_error_handler().
 Added ability to check for foreign host POST requests.

---
 kernel.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/kernel.php b/kernel.php
index 233c735..417e290 100644
--- a/kernel.php
+++ b/kernel.php
@@ -331,6 +331,8 @@ class Shared_Object_Framework
 			break;
 		}
 		
+		$errfile = str_replace(getcwd(), '', $errfile);
+		
 		$errstr .= " in <strong>$errfile</strong> on line <strong>$errline</strong>";
 		
 		$this->_message($title, $errstr, 3);
@@ -496,6 +498,22 @@ function iff($condition, $iftrue, $iffalse = null)
 	return ($condition) ? ($iftrue) : ($iffalse);
 }
 
+if (defined('ISSO_CHECK_POST_REFERER'))
+{
+	if ($_SERVER['REQUEST_METHOD'] == 'POST')
+	{
+		$host = ($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $_ENV['HTTP_HOST'];
+		$host = preg_replace('#^www\.#i', '', $host);
+		$parts = parse_url($_SERVER['HTTP_REFERER']);
+		$ourhost = $parts['host'] . (($parts['port']) ? ":$parts[port]" : '');
+		
+		if ($ourhost != $host)
+		{
+			trigger_error('No external hosts are allowed to POST to this application', ERR_FATAL);
+		}
+	}
+}
+
 /*=====================================================================*\
 || ###################################################################
 || # $HeadURL$
-- 
2.43.5