1 Attachment(s)
[Done v155a and v155b] AdminRequestSanitizer Problem
Problem is occurring with ZC 1.5.4 and 1.5.5a (skipped 1.5.5).
The base Zen Cart is heavily modified; however, this problem is only showing up for one aspect: Reviews. Specifically, my version of .../admin/includes/backend/reviews.php (NB my admin directory is called backend).
The error log shows:
Code:
[30-May-2016 21:33:39 America/Detroit] Request URI: /backend/reviews.php?page=16&rID=498&action=preview, IP address: 47.55.233.182
#1 AdminRequestSanitizer->filterProductNameDeepRegex()
#2 call_user_func() called at [/home/amistad/public_html/backend/includes/classes/AdminRequestSanitizer.php:290]
#3 AdminRequestSanitizer->processBuiltIn() called at [/home/amistad/public_html/backend/includes/classes/AdminRequestSanitizer.php:201]
#4 AdminRequestSanitizer->runSpecificSanitizer() called at [/home/amistad/public_html/backend/includes/classes/AdminRequestSanitizer.php:180]
#5 AdminRequestSanitizer->runSanitizers() called at [/home/amistad/public_html/backend/includes/init_includes/init_sanitize.php:232]
#6 require(/home/amistad/public_html/backend/includes/init_includes/init_sanitize.php) called at [/home/amistad/public_html/includes/autoload_func.php:48]
#7 require(/home/amistad/public_html/includes/autoload_func.php) called at [/home/amistad/public_html/backend/includes/application_top.php:171]
#8 require_once(/home/amistad/public_html/backend/includes/application_top.php) called at [/home/amistad/public_html/backend/reviews.php:37]
[30-May-2016 21:33:39 America/Detroit] PHP Warning: Invalid argument supplied for foreach() in /home/amistad/public_html/backend/includes/classes/AdminRequestSanitizer.php on line 565
Server information (screen-shot) is attached. Oh, this is the test site (1.5.5a) the live site is on 1.5.4.
Despite this, the code does do what it is supposed to do. It supports creating reviews and editing reviews. An additional "status" (numeric) is supported and an additional column for reviews (review_type).
I am not sure how to determine which field is causing the problem. Suggestions as to how to track this down would be appreciated. Currently I'm going to continue with other testing (and perhaps turn of sanitizing while doing that testing, to avoid sifting through the logs for other problems).
JRG
Re: AdminRequestSanitizer Problem
Re: AdminRequestSanitizer Problem
Does your reviews.php, by chance, make use of an array of $_POST variables? What are the names of the $_POST variables that the plugin uses?
Re: AdminRequestSanitizer Problem
Hi all
This is in fact a problem with core code, and not really related to any plugins.
The reviews code passes a 'products_name' hidden field which in this context is a string.
However in general 'products_name' is expected to be an array (e.g. to account for language translations)
Hence the sanitizer complaining it's not an array.
Will push a fix up shortly
Re: AdminRequestSanitizer Problem
Quote:
Originally Posted by
kobra
I found your referenced thread after I had posted. The documentation link it has (http://docs.zen-cart.com/Developer_D...n_sanitization) is particularly helpful as it is the only real documentation I've been able to find on “admin sanitizing”.
Thanks for trying to help — appreciated. More in my reply to the next response.
Re: AdminRequestSanitizer Problem
Hello Wilt,
I discovered the Admin Sanitizer documentation http://docs.zen-cart.com/Developer_D...n_sanitization. That allowed me to turn on sanitizer debugging messages. I matched the date-time stamp of one of the error logs to one for a debug message.
You undoubtedly have found the real problem. I did notice, however, that in the debug message, the admin sanitizer has changed the value of the "type_name" variable (stripping out spaces and a slash — but leaving a dash). This can be seen in the posted sanitizer debug message.
This is only a problem because I display the type_name. I created additional product types as the subject site deals exclusively in downloadable products: e-books and software (which can be thought of as “interactive e-books”). I am going to resolve this problem by making sure the type_name is a single word (I'll manually change the database to accomplish this).
I am looking forward to a fix.
Oh, turning off "strict sanitizing" doesn’t stop the sanitize error messages, which I am sure you know.
A question, if I may: It seems to me, on reflection, that the Admin Sanitizer documentation implies I should set up data files in /admin/includes/extra_datafiles/ (for me, /backend/…) to define how the Admin Sanitizer should handle any additional GET or POST fields I have added to the Admin core. It doesn’t indicate how the file names should be formed. Could you tell me please? And whether they are necessary (i.e. advised for good security)?
Re: AdminRequestSanitizer Problem
It wasn’t necessary to manual change the database. Instead, in Admin, Catalog—>Product Types :smile:
Wilt: Sorry, I didn’t realize I hadn't posted the sanitizer log. If you want it, I can reproduce it.
Re: AdminRequestSanitizer Problem
Quote:
Originally Posted by
wilt
Hi all
This is in fact a problem with core code, and not really related to any plugins.
The reviews code passes a 'products_name' hidden field which in this context is a string.
However in general 'products_name' is expected to be an array (e.g. to account for language translations)
Hence the sanitizer complaining it's not an array.
Will push a fix up shortly
Wilt's fix is the 3 files mentioned here: https://www.zen-cart.com/showthread....33#post1312333
Re: AdminRequestSanitizer Problem
Thank you for the link. I shall apply the fixes to both the live and test sites.
Re: AdminRequestSanitizer Problem
I need to enclose some text in html tags, in the Option Names Comments field, but when I put the tags in, it is not sanitizing and converts the < to < , and the > to > . I have to then go into the database and change them back to < and > so that they do not render as < and > in-screen.
eg: <hr /> becomes <hr />
How do I fix this?