Basic Information
When bots attempt to spoof the referrer field, this can trigger "Unable to verify referring URL" errors.
Normally, SMF smartly avoids logging all of these, otherwise, you'd be at the mercy of the bots. And they're merciless.
It looks like SMF attempts to only log these errors upon receipt of valid requests where invalid referrers are detected, and it doesn't log when there are invalid requests. But... The problem is that bots can still flood the logs with valid looking requests.
Related: #9112
Note that #9112 requests we should disable the view likes link for guests, which is good. This particular issue is subtly different - maybe we shouldn't allow the log to be flooded with errors - even when bots attempt valid links. Two aspects of the same issue - get rid of the tempting link, & get rid of these errors in the log.
Which begs the question - do we need "Unable to verify referring URL" errors logged at all - ever??? Why??? My current thinking is to stop logging them altogether.
If you give a bot the ability to generate errors at will, they will do so, and that will eat up your resources.
I have learned a few lessons testing #9126 that I will log separately. Pretty sure these affect both 2.1 & 3.0.
Steps to reproduce
Expected result
No response
Actual result
No response
Version/Git revision
2.1 & 3.0 Alpha 4
Database Engine
All
Database Version
No response
PHP Version
8.4
Logs
Additional Information
No response
Basic Information
When bots attempt to spoof the referrer field, this can trigger "Unable to verify referring URL" errors.
Normally, SMF smartly avoids logging all of these, otherwise, you'd be at the mercy of the bots. And they're merciless.
It looks like SMF attempts to only log these errors upon receipt of valid requests where invalid referrers are detected, and it doesn't log when there are invalid requests. But... The problem is that bots can still flood the logs with valid looking requests.
Related: #9112
Note that #9112 requests we should disable the view likes link for guests, which is good. This particular issue is subtly different - maybe we shouldn't allow the log to be flooded with errors - even when bots attempt valid links. Two aspects of the same issue - get rid of the tempting link, & get rid of these errors in the log.
Which begs the question - do we need "Unable to verify referring URL" errors logged at all - ever??? Why??? My current thinking is to stop logging them altogether.
If you give a bot the ability to generate errors at will, they will do so, and that will eat up your resources.
I have learned a few lessons testing #9126 that I will log separately. Pretty sure these affect both 2.1 & 3.0.
Steps to reproduce
Expected result
No response
Actual result
No response
Version/Git revision
2.1 & 3.0 Alpha 4
Database Engine
All
Database Version
No response
PHP Version
8.4
Logs
Additional Information
No response