[Done v1.3.9a/e] whos_online.php $start_cart endless loop for php 5.2.5

[ppruett]

FOR
www.---.com/catalog/admin/whos_online.php

frequently, but not always will get something like

Fatal error: Maximum execution time of 60 seconds exceeded in /--path--/admin/whos_online.php on line 416

sometimes the line number is different, sometime if load is lite it will
make it..
fyi, the box for /catalog showing whos online does not seem affected.



I saw two separate threads in general on this.

I think it may be a php5 issue perhaps... looking at vmstat and top,
the web server spirals away trying to do php on some platforms


see also in general:
http://www.zen-cart.com/forum/showthread.php?t=85765
http://www.zen-cart.com/forum/showthread.php?p=503832



In my case I was using an openbsd AMD64
running
php5-core-5.2.5p1
mysql-server-5.0.51

tried to use the default secure php.ini settings... for the most part.


and I saw it with both a 1.3.7 and a 1.3.8a version of zencart.


got some things you want me to try?

[ppruett]

per discussion:

http://www.zen-cart.com/forum/showth...t=85765&page=2



It appears that for some, they get a timeout because perhaps the
loop, for ($i=$start_cart; $i<$length; $i++) may not be using an
integer for $start_cash

When I put
settype($start_cart,"integer");

before line 409
I stop getting the fatal error message "Maximum execution time"

this appear to be so for 1.3.7 and 1.3.8a



Notice this upon migration to a server with new version of php, 5.2.5

[ppruett]

We are pretty sure that this issue is arising when the session data is encrypted.

The whos_online.php is trying to grab information directly from the session information without adequate testing what it may or may not have snooped.

Before the 'for' statement there is no check to ensure that $start_cart is a valid number. strpos() will return something equal to false if the string isn't found. If the session information is fubar then it may be causing an infinite loop.

As more and more providers use 'hardened' php, issues like this will arise. Even more so if Zen Cart is a bit naughty and tries to read customers' session data directly to show you their cart contents. With secure session handling it breaks.

So if we put the settype integer,
we can work around this, but the cart information is not used....?


Recommend reading the thread:
http://www.zen-cart.com/forum/showth...t=85765&page=2

[s_p_ike]

I confirm.

Zen cart 1.3.8
PHP 5.2.6
Session ecrypted (Suhosin v0.9.29)
Dedicated server

No time out but a very very long time to load the page.

Setting the type to integer solved the performance issue.

[s_p_ike]

... but the cart details were no longer available.

Now we moved on a new server, with similar configuration (of course it must be not the same, but I don't know where to look for differencies about this problem) and now the page is super fast and the cart details are available.

[DrByte]

We are pretty sure that this issue is arising when the session data is encrypted.

Before the 'for' statement there is no check to ensure that $start_cart is a valid number. strpos() will return something equal to false if the string isn't found. If the session information is fubar then it may be causing an infinite loop.

True, and there are some other factors involved too.

Try changing this:

Code:

    if ($length = strlen($session_data)) {
      if (PHP_VERSION < 4) {
        $start_id = strpos($session_data, 'customer_id[==]s');
        $start_cart = strpos($session_data, 'cart[==]o');
        $start_currency = strpos($session_data, 'currency[==]s');
        $start_country = strpos($session_data, 'customer_country_id[==]s');
        $start_zone = strpos($session_data, 'customer_zone_id[==]s');
      } else {
        $start_id = strpos($session_data, 'customer_id|s');
        $start_cart = strpos($session_data, 'cart|O');
        $start_currency = strpos($session_data, 'currency|s');
        $start_country = strpos($session_data, 'customer_country_id|s');
        $start_zone = strpos($session_data, 'customer_zone_id|s');
      }

      for ($i=$start_cart; $i<$length; $i++) {
        if ($session_data[$i] == '{') {
          if (isset($tag)) {
            $tag++;
          } else {
            $tag = 1;
          }
        } elseif ($session_data[$i] == '}') {
          $tag--;
        } elseif ( (isset($tag)) && ($tag < 1) ) {
          break;
        }
      }

      $session_data_id = substr($session_data, $start_id, (strpos($session_data, ';', $start_id) - $start_id + 1));
// fix nnobo bug
      $session_data_cart = substr($session_data, $start_cart, $i - $start_cart);
      $session_data_currency = substr($session_data, $start_currency, (strpos($session_data, ';', $start_currency) - $start_currency + 1));
      $session_data_country = substr($session_data, $start_country, (strpos($session_data, ';', $start_country) - $start_country + 1));
      $session_data_zone = substr($session_data, $start_zone, (strpos($session_data, ';', $start_zone) - $start_zone + 1));

      session_decode($session_data_id);
      session_decode($session_data_currency);
      session_decode($session_data_country);
      session_decode($session_data_zone);
      session_decode($session_data_cart);

      if (PHP_VERSION < 4) {
        $broken_cart = $cart;
        $cart = new shoppingCart;
        $cart->unserialize($broken_cart);
      }

to this:

Code:

    if (strpos($session_data, 'cart|O') == 0) $session_data = base64_decode($session_data);
    if (strpos($session_data, 'cart|O') == 0) $session_data = '';

    $suhosinExtension = extension_loaded('suhosin');
    $suhosinSetting = strtoupper(@ini_get('suhosin.session.encrypt'));
    $hardenedStatus = ($suhosinExtension == TRUE || $suhosinSetting == 'On' || $suhosinSetting == 1) ? TRUE : FALSE;
    if ($session_data != '' && $hardenedStatus == TRUE) $session_data = '';

    if ($length = strlen($session_data)) {
      $start_id = (int)strpos($session_data, 'customer_id|s');
      $start_currency = (int)strpos($session_data, 'currency|s');
      $start_country = (int)strpos($session_data, 'customer_country_id|s');
      $start_zone = (int)strpos($session_data, 'customer_zone_id|s');
      $start_cart = (int)strpos($session_data, 'cart|O');
      $end_cart = (int)strpos($session_data, '|', $start_cart+6);
      $end_cart = (int)strrpos(substr($session_data, 0, $end_cart), ';}');

      $session_data_id = substr($session_data, $start_id, (strpos($session_data, ';', $start_id) - $start_id + 1));
      $session_data_cart = substr($session_data, $start_cart, ($end_cart - $start_cart+2));
      $session_data_currency = substr($session_data, $start_currency, (strpos($session_data, ';', $start_currency) - $start_currency + 1));
      $session_data_country = substr($session_data, $start_country, (strpos($session_data, ';', $start_country) - $start_country + 1));
      $session_data_zone = substr($session_data, $start_zone, (strpos($session_data, ';', $start_zone) - $start_zone + 1));

      session_decode($session_data_id);
      session_decode($session_data_currency);
      session_decode($session_data_country);
      session_decode($session_data_zone);
      session_decode($session_data_cart);

This will at least attempt to work without errors in the case of encoding or encryption, plus fixes the 'for' loop problem, and more.

[snapworks]

Dear all,

I encountered similar problem Error 500, therefore added "
settype($start_cart,"integer");" as suggested and it works as in loading the who's online page without error.

However, I encountered another problem as it shows all users having the same ip address and host which is my own ip & host. I no longer able to view where the users are from :-(

Another problem is the info in each cart is no longer showing.

I've tried Dr. Bytes suggestion and still similar problem.

Anyone facing the same problem? Please help!

TIA

[ChrisBrad17]

Yeh snapworks, I have similar problem like you. Could you resolve it? If yes, can you please tell me?

[DrByte]

Chris, upgrade to v1.3.9 and the $start_cart endless loop will disappear.