MDL-49360 core_lib: add new method get_local_referer()

This commit also replace all usages of $_SERVER['HTTP_REFERER'] and get_referer().

MDL-49360 core_lib: add new method get_local_referer()
This commit also replace all usages of $_SERVER['HTTP_REFERER'] and get_referer().
dcee0b94 · Simey Lameze · d8462543 · dcee0b94 · dcee0b94 · dcee0b94
Commit dcee0b94 authored Jun 12, 2015 by Simey Lameze
--- a/auth/ldap/auth.php
+++ b/auth/ldap/auth.php
@@ -1642,7 +1642,7 @@ class auth_plugin_ldap extends auth_plugin_base {

        if (($_SERVER['REQUEST_METHOD'] === 'GET'         // Only on initial GET of loginpage
             || ($_SERVER['REQUEST_METHOD'] === 'POST'
-                 && (get_referer() != strip_querystring(qualified_me()))))
+                 && (get_local_referer() != strip_querystring(qualified_me()))))
                                                          // Or when POSTed from another place
                                                          // See MDL-14071
            && !empty($this->config->ntlmsso_enabled)     // SSO enabled
@@ -1653,13 +1653,15 @@ class auth_plugin_ldap extends auth_plugin_base {

            // First, let's remember where we were trying to get to before we got here
            if (empty($SESSION->wantsurl)) {
-                $SESSION->wantsurl = (array_key_exists('HTTP_REFERER', $_SERVER) &&
-                                      $_SERVER['HTTP_REFERER'] != $CFG->wwwroot &&
-                                      $_SERVER['HTTP_REFERER'] != $CFG->wwwroot.'/' &&
-                                      $_SERVER['HTTP_REFERER'] != $CFG->httpswwwroot.'/login/' &&
-                                      $_SERVER['HTTP_REFERER'] != $CFG->httpswwwroot.'/login/index.php' &&
-                                      clean_param($_SERVER['HTTP_REFERER'], PARAM_LOCALURL) != '')
-                    ? $_SERVER['HTTP_REFERER'] : NULL;
+                $SESSION->wantsurl = null;
+                $referer = get_safe_referer(false);
+                if ($referer &&
+                        $referer != $CFG->wwwroot &&
+                        $referer != $CFG->wwwroot . '/' &&
+                        $referer != $CFG->httpswwwroot . '/login/' &&
+                        $referer != $CFG->httpswwwroot . '/login/index.php') {
+                    $SESSION->wantsurl = $referer;
+                }
            }

            // Now start the whole NTLM machinery.

--- a/course/togglecompletion.php
+++ b/course/togglecompletion.php
@@ -78,7 +78,7 @@ if ($courseid) {
        }

        // Return to previous page
-        $referer = clean_param($_SERVER['HTTP_REFERER'], PARAM_LOCALURL);
+        $referer = get_local_referer(false);
        if (!empty($referer)) {
            redirect($referer);
        } else {

--- a/enrol/index.php
+++ b/enrol/index.php
@@ -29,7 +29,7 @@ $id = required_param('id', PARAM_INT);
 $returnurl = optional_param('returnurl', 0, PARAM_LOCALURL);

 if (!isloggedin()) {
-    $referer = clean_param(get_referer(), PARAM_LOCALURL);
+    $referer = get_local_referer();
    if (empty($referer)) {
        // A user that is not logged in has arrived directly on this page,
        // they should be redirected to the course page they are trying to enrol on after logging in.
@@ -108,7 +108,7 @@ if (!$forms) {
    } else if ($returnurl) {
        notice(get_string('notenrollable', 'enrol'), $returnurl);
    } else {
-        $url = clean_param(get_referer(false), PARAM_LOCALURL);
+        $url = get_local_referer(false);
        if (empty($url)) {
            $url = new moodle_url('/index.php');
        }

--- a/error/index.php
+++ b/error/index.php
@@ -29,7 +29,7 @@

    $site = get_site();
    $redirecturl = empty($_SERVER['REDIRECT_URL']) ? '' : $_SERVER['REDIRECT_URL'];
-    $httpreferer = empty($_SERVER['HTTP_REFERER']) ? '' : $_SERVER['HTTP_REFERER'];
+    $httpreferer = get_local_referer(false);
    $requesturi  = empty($_SERVER['REQUEST_URI'])  ? '' : $_SERVER['REQUEST_URI'];

    header("HTTP/1.0 404 Not Found");

--- a/lib/classes/session/manager.php
+++ b/lib/classes/session/manager.php
@@ -380,11 +380,12 @@ class manager {
            if (is_web_crawler()) {
                $user = guest_user();
            }
-            if (!empty($CFG->guestloginbutton) and !$user and !empty($_SERVER['HTTP_REFERER'])) {
+            $referer = get_local_referer(false);
+            if (!empty($CFG->guestloginbutton) and !$user and !empty($referer)) {
                // Automatically log in users coming from search engine results.
-                if (strpos($_SERVER['HTTP_REFERER'], 'google') !== false ) {
+                if (strpos($referer, 'google') !== false ) {
                    $user = guest_user();
-                } else if (strpos($_SERVER['HTTP_REFERER'], 'altavista') !== false ) {
+                } else if (strpos($referer, 'altavista') !== false ) {
                    $user = guest_user();
                }
            }

--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -2549,8 +2549,10 @@ function require_login($courseorid = null, $autologinguest = true, $cm = null, $
            if ($setwantsurltome) {
                $SESSION->wantsurl = qualified_me();
            }
-            if (!empty($_SERVER['HTTP_REFERER'])) {
-                $SESSION->fromurl  = $_SERVER['HTTP_REFERER'];
+
+            $referer = get_local_referer(false);
+            if (!empty($referer)) {
+                $SESSION->fromurl = $referer;
            }

            // Give auth plugins an opportunity to authenticate or redirect to an external login page

--- a/lib/weblib.php
+++ b/lib/weblib.php
@@ -234,6 +234,25 @@ function is_https() {
    return (strpos($CFG->httpswwwroot, 'https://') === 0);
 }

+/**
+ * Returns the cleaned local URL of the HTTP_REFERER less the URL query string parameters if required.
+ *
+ * @param bool $stripquery if true, also removes the query part of the url.
+ * @return string The resulting referer or empty string.
+ */
+function get_local_referer($stripquery = true) {
+    if (isset($_SERVER['HTTP_REFERER'])) {
+        $referer = clean_param($_SERVER['HTTP_REFERER'], PARAM_LOCALURL);
+        if ($stripquery) {
+            return strip_querystring($referer);
+        } else {
+            return $referer;
+        }
+    } else {
+        return '';
+    }
+}
+
 /**
 * Class for creating and manipulating urls.
 *

--- a/login/index.php
+++ b/login/index.php
@@ -258,15 +258,16 @@ if ($session_has_timed_out and !data_submitted()) {
 /// First, let's remember where the user was trying to get to before they got here

 if (empty($SESSION->wantsurl)) {
-    $SESSION->wantsurl = (array_key_exists('HTTP_REFERER',$_SERVER) &&
-                          $_SERVER["HTTP_REFERER"] != $CFG->wwwroot &&
-                          $_SERVER["HTTP_REFERER"] != $CFG->wwwroot.'/' &&
-                          $_SERVER["HTTP_REFERER"] != $CFG->httpswwwroot.'/login/' &&
-                          strpos($_SERVER["HTTP_REFERER"], $CFG->httpswwwroot.'/login/?') !== 0 &&
-                          strpos($_SERVER["HTTP_REFERER"], $CFG->httpswwwroot.'/login/index.php') !== 0 &&
-                          clean_param($_SERVER['HTTP_REFERER'], PARAM_LOCALURL) != '')
-                          // There might be some extra params such as ?lang=.
-        ? $_SERVER["HTTP_REFERER"] : NULL;
+    $SESSION->wantsurl = null;
+    $referer = get_local_referer(false);
+    if ($referer &&
+            $referer != $CFG->wwwroot &&
+            $referer != $CFG->wwwroot . '/' &&
+            $referer != $CFG->httpswwwroot . '/login/' &&
+            strpos($referer, $CFG->httpswwwroot . '/login/?') !== 0 &&
+            strpos($referer, $CFG->httpswwwroot . '/login/index.php') !== 0) { // There might be some extra params such as ?lang=.
+        $SESSION->wantsurl = $referer;
+    }
 }

 /// Redirect to alternative login URL if needed

--- a/mod/choice/view.php
+++ b/mod/choice/view.php
@@ -178,7 +178,7 @@ if (!$choiceformshown) {
    } else if (!is_enrolled($context)) {
        // Only people enrolled can make a choice
        $SESSION->wantsurl = qualified_me();
-        $SESSION->enrolcancel = clean_param($_SERVER['HTTP_REFERER'], PARAM_LOCALURL);
+        $SESSION->enrolcancel = get_local_referer(false);

        $coursecontext = context_course::instance($course->id);
        $courseshortname = format_string($course->shortname, true, array('context' => $coursecontext));

--- a/mod/forum/lib.php
+++ b/mod/forum/lib.php
@@ -3930,7 +3930,7 @@ function forum_set_return() {
    global $CFG, $SESSION;

    if (! isset($SESSION->fromdiscussion)) {
-        $referer = clean_param($_SERVER['HTTP_REFERER'], PARAM_LOCALURL);
+        $referer = get_local_referer(false);
        // If the referer is NOT a login screen then save it.
        if (! strncasecmp("$CFG->wwwroot/login", $referer, 300)) {
            $SESSION->fromdiscussion = $referer;

--- a/mod/forum/markposts.php
+++ b/mod/forum/markposts.php
@@ -98,7 +98,7 @@ if ($mark == 'read') {
 //        if (forum_tp_start_tracking($forum->id, $user->id)) {
 //            redirect($returnto, get_string("nowtracking", "forum", $info), 1);
 //        } else {
-//            print_error("Could not start tracking that forum", $_SERVER["HTTP_REFERER"]);
+//            print_error("Could not start tracking that forum", get_local_referer());
 //        }
 }


--- a/mod/forum/post.php
+++ b/mod/forum/post.php
@@ -53,7 +53,7 @@ $sitecontext = context_system::instance();

 if (!isloggedin() or isguestuser()) {

-    if (!isloggedin() and !get_referer()) {
+    if (!isloggedin() and !get_local_referer()) {
        // No referer+not logged in - probably coming in via email  See MDL-9052
        require_login();
    }
@@ -87,7 +87,7 @@ if (!isloggedin() or isguestuser()) {
    $PAGE->set_context($modcontext);
    $PAGE->set_title($course->shortname);
    $PAGE->set_heading($course->fullname);
-    $referer = clean_param(get_referer(false), PARAM_LOCALURL);
+    $referer = get_local_referer(false);

    echo $OUTPUT->header();
    echo $OUTPUT->confirm(get_string('noguestpost', 'forum').'<br /><br />'.get_string('liketologin'), get_login_url(), $referer);
@@ -117,7 +117,7 @@ if (!empty($forum)) {      // User is starting a new discussion in a forum
            if (!is_enrolled($coursecontext)) {
                if (enrol_selfenrol_available($course->id)) {
                    $SESSION->wantsurl = qualified_me();
-                    $SESSION->enrolcancel = clean_param($_SERVER['HTTP_REFERER'], PARAM_LOCALURL);
+                    $SESSION->enrolcancel = get_local_referer(false);
                    redirect(new moodle_url('/enrol/index.php', array('id' => $course->id,
                        'returnurl' => '/mod/forum/view.php?f=' . $forum->id)),
                        get_string('youneedtoenrol'));
@@ -131,11 +131,7 @@ if (!empty($forum)) {      // User is starting a new discussion in a forum
        print_error("activityiscurrentlyhidden");
    }

-    if (isset($_SERVER["HTTP_REFERER"])) {
-        $SESSION->fromurl = $_SERVER["HTTP_REFERER"];
-    } else {
-        $SESSION->fromurl = '';
-    }
+    $SESSION->fromurl = get_local_referer(false);

    // Load up the $post variable.

@@ -188,7 +184,7 @@ if (!empty($forum)) {      // User is starting a new discussion in a forum
        if (!isguestuser()) {
            if (!is_enrolled($coursecontext)) {  // User is a guest here!
                $SESSION->wantsurl = qualified_me();
-                $SESSION->enrolcancel = clean_param($_SERVER['HTTP_REFERER'], PARAM_LOCALURL);
+                $SESSION->enrolcancel = get_local_referer(false);
                redirect(new moodle_url('/enrol/index.php', array('id' => $course->id,
                    'returnurl' => '/mod/forum/view.php?f=' . $forum->id)),
                    get_string('youneedtoenrol'));

--- a/mod/forum/settracking.php
+++ b/mod/forum/settracking.php
@@ -66,7 +66,7 @@ if (forum_tp_is_tracked($forum) ) {
        $event->trigger();
        redirect($returnto, get_string("nownottracking", "forum", $info), 1);
    } else {
-        print_error('cannottrack', '', $_SERVER["HTTP_REFERER"]);
+        print_error('cannottrack', '', get_local_referer(false));
    }

 } else { // subscribe
@@ -75,7 +75,7 @@ if (forum_tp_is_tracked($forum) ) {
        $event->trigger();
        redirect($returnto, get_string("nowtracking", "forum", $info), 1);
    } else {
-        print_error('cannottrack', '', $_SERVER["HTTP_REFERER"]);
+        print_error('cannottrack', '', get_local_referer(false));
    }
 }


--- a/mod/forum/subscribe.php
+++ b/mod/forum/subscribe.php
@@ -176,23 +176,23 @@ if ($issubscribed) {
        if (\mod_forum\subscriptions::unsubscribe_user($user->id, $forum, $context, true)) {
            redirect($returnto, get_string("nownotsubscribed", "forum", $info), 1);
        } else {
-            print_error('cannotunsubscribe', 'forum', $_SERVER["HTTP_REFERER"]);
+            print_error('cannotunsubscribe', 'forum', get_local_referer(false));
        }
    } else {
        if (\mod_forum\subscriptions::unsubscribe_user_from_discussion($user->id, $discussion, $context)) {
            $info->discussion = $discussion->name;
            redirect($returnto, get_string("discussionnownotsubscribed", "forum", $info), 1);
        } else {
-            print_error('cannotunsubscribe', 'forum', $_SERVER["HTTP_REFERER"]);
+            print_error('cannotunsubscribe', 'forum', get_local_referer(false));
        }
    }

 } else {  // subscribe
    if (\mod_forum\subscriptions::subscription_disabled($forum) && !has_capability('mod/forum:managesubscriptions', $context)) {
-        print_error('disallowsubscribe', 'forum', $_SERVER["HTTP_REFERER"]);
+        print_error('disallowsubscribe', 'forum', get_local_referer(false));
    }
    if (!has_capability('mod/forum:viewdiscussion', $context)) {
-        print_error('noviewdiscussionspermission', 'forum', $_SERVER["HTTP_REFERER"]);
+        print_error('noviewdiscussionspermission', 'forum', get_local_referer(false));
    }
    if (is_null($sesskey)) {
        // We came here via link in email.

--- a/mod/quiz/renderer.php
+++ b/mod/quiz/renderer.php
@@ -850,7 +850,7 @@ class mod_quiz_renderer extends plugin_renderer_base {
        $output .= $this->view_information($quiz, $cm, $context, $messages);
        $guestno = html_writer::tag('p', get_string('guestsno', 'quiz'));
        $liketologin = html_writer::tag('p', get_string('liketologin'));
-        $referer = clean_param(get_referer(false), PARAM_LOCALURL);
+        $referer = get_local_referer(false);
        $output .= $this->confirm($guestno."\n\n".$liketologin."\n", get_login_url(), $referer);
        return $output;
    }

--- a/mod/resource/view.php
+++ b/mod/resource/view.php
@@ -89,7 +89,7 @@ if ($displaytype == RESOURCELIB_DISPLAY_OPEN || $displaytype == RESOURCELIB_DISP
    // For 'open' and 'download' links, we always redirect to the content - except
    // if the user just chose 'save and display' from the form then that would be
    // confusing
-    if (!isset($_SERVER['HTTP_REFERER']) || strpos($_SERVER['HTTP_REFERER'], 'modedit.php') === false) {
+    if (strpos(get_local_referer(false), 'modedit.php') === false) {
        $redirect = true;
    }
 }

--- a/mod/survey/save.php
+++ b/mod/survey/save.php
@@ -70,7 +70,7 @@
    echo $OUTPUT->heading($survey->name);

    if (survey_already_done($survey->id, $USER->id)) {
-        notice(get_string("alreadysubmitted", "survey"), clean_param($_SERVER["HTTP_REFERER"], PARAM_LOCALURL));
+        notice(get_string("alreadysubmitted", "survey"), get_local_referer(false));
        exit;
    }


--- a/mod/url/view.php
+++ b/mod/url/view.php
@@ -68,7 +68,7 @@ $displaytype = url_get_final_display_type($url);
 if ($displaytype == RESOURCELIB_DISPLAY_OPEN) {
    // For 'open' links, we always redirect to the content - except if the user
    // just chose 'save and display' from the form then that would be confusing
-    if (!isset($_SERVER['HTTP_REFERER']) || strpos($_SERVER['HTTP_REFERER'], 'modedit.php') === false) {
+    if (strpos(get_local_referer(false), 'modedit.php') === false) {
        $redirect = true;
    }
 }

--- a/mod/wiki/filesedit.php
+++ b/mod/wiki/filesedit.php
@@ -60,7 +60,7 @@ if (!wiki_user_can_view($subwiki, $wiki)) {
 require_capability('mod/wiki:managefiles', $context);

 if (empty($returnurl)) {
-    $referer = clean_param($_SERVER['HTTP_REFERER'], PARAM_LOCALURL);
+    $referer = get_local_referer(false);
    if (!empty($referer)) {
        $returnurl = $referer;
    } else {

--- a/user/view.php
+++ b/user/view.php
@@ -112,7 +112,7 @@ if ($currentuser) {
        // Need to have full access to a course to see the rest of own info.
        echo $OUTPUT->header();
        echo $OUTPUT->heading(get_string('notenrolled', '', $fullname));
-        $referer = clean_param($_SERVER['HTTP_REFERER'], PARAM_LOCALURL);
+        $referer = get_local_referer(false);
        if (!empty($referer)) {
            echo $OUTPUT->continue_button($referer);
        }
@@ -144,7 +144,7 @@ if ($currentuser) {
            $PAGE->navbar->add($struser);
            echo $OUTPUT->heading(get_string('notenrolledprofile'));
        }
-        $referer = clean_param($_SERVER['HTTP_REFERER'], PARAM_LOCALURL);
+        $referer = get_local_referer(false);
        if (!empty($referer)) {
            echo $OUTPUT->continue_button($referer);
        }