Page 7 of 8 FirstFirst ... 5678 LastLast
Results 61 to 70 of 77
  1. #61
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    8,843
    Plugin Contributions
    69

    Default Re: AdminRequestSanitizer Error Log

    @wilt, I just found the following warning in my /logs folder; it's issued when the edit_orders script is initially entered (i.e. no $_POST parameters).
    Code:
    PHP Warning:  Invalid argument supplied for foreach() in C:\xampp\htdocs\testsite\testadmin\includes\classes\AdminRequestSanitizer.php on line 511
    Here's the current code, with line 511 highlighted:
    Code:
        private function filterMultiDimensional($parameterName, $parameterDefinition)
        {
            $requestPost = $_POST;
            foreach ($requestPost[$parameterName] as $key => $value) {
                $hacked = $requestPost[$parameterName][$key];
                if (isset($parameterDefinition['params'][$parameterName])) {
                    unset($requestPost[$parameterName][$key]);
                    unset($_POST);
                    $_POST[$parameterName] = $key;
                    $type = $parameterDefinition['params'][$parameterName]['sanitizerType'];
                    $params = isset($parameterDefinition['params'][$parameterName]['params']) ? $parameterDefinition['params'][$parameterName]['params'] : null;
                    $newParameterDefinition = array('sanitizerType' => $type, 'params' => $params);
                    $this->runSpecificSanitizer($parameterName, $newParameterDefinition);
                    $newKey = $_POST[$parameterName];
                    $requestPost[$parameterName][$newKey] = $hacked;
                }
                foreach ($hacked as $pkey => $pvalue) {
                    if (isset($parameterDefinition['params'][$pkey])) {
                        unset($requestPost[$parameterName][$newKey][$pkey]);
                        unset($_POST);
                        $_POST[$pkey] = $pvalue;
                        $type = $parameterDefinition['params'][$pkey]['sanitizerType'];
                        $params = isset($parameterDefinition['params'][$pkey]['params']) ? $parameterDefinition['params'][$pkey]['params'] : null;
                        $newParameterDefinition = array('sanitizerType' => $type, 'params' => $params);
                        $this->runSpecificSanitizer($pkey, $newParameterDefinition);
                        $requestPost[$parameterName][$newKey][$pkey] = $_POST[$pkey];
                    }
                }
    
            }
            $_POST = $requestPost;
        }
    It looks like you'd want to change that to
    Code:
        private function filterMultiDimensional($parameterName, $parameterDefinition)
        {
            $requestPost = $_POST;
            if (isset ($requestPost[$parameterName])) {
                foreach ($requestPost[$parameterName] as $key => $value) {
                    $hacked = $requestPost[$parameterName][$key];
                    if (isset($parameterDefinition['params'][$parameterName])) {
                        unset($requestPost[$parameterName][$key]);
                        unset($_POST);
                        $_POST[$parameterName] = $key;
                        $type = $parameterDefinition['params'][$parameterName]['sanitizerType'];
                        $params = isset($parameterDefinition['params'][$parameterName]['params']) ? $parameterDefinition['params'][$parameterName]['params'] : null;
                        $newParameterDefinition = array('sanitizerType' => $type, 'params' => $params);
                        $this->runSpecificSanitizer($parameterName, $newParameterDefinition);
                        $newKey = $_POST[$parameterName];
                        $requestPost[$parameterName][$newKey] = $hacked;
                    }
                    foreach ($hacked as $pkey => $pvalue) {
                        if (isset($parameterDefinition['params'][$pkey])) {
                            unset($requestPost[$parameterName][$newKey][$pkey]);
                            unset($_POST);
                            $_POST[$pkey] = $pvalue;
                            $type = $parameterDefinition['params'][$pkey]['sanitizerType'];
                            $params = isset($parameterDefinition['params'][$pkey]['params']) ? $parameterDefinition['params'][$pkey]['params'] : null;
                            $newParameterDefinition = array('sanitizerType' => $type, 'params' => $params);
                            $this->runSpecificSanitizer($pkey, $newParameterDefinition);
                            $requestPost[$parameterName][$newKey][$pkey] = $_POST[$pkey];
                        }
                    }
    
                }
            }
            $_POST = $requestPost;
        }

  2. #62
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,879
    Blog Entries
    2
    Plugin Contributions
    2

    Default Re: AdminRequestSanitizer Error Log

    @wilt, I just found the following warning in my /logs folder; it's issued when the edit_orders script is initially entered (i.e. no $_POST parameters).
    Fix pushed here
    https://github.com/zencart/zencart/p...16edf14a41984d

  3. #63
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    8,843
    Plugin Contributions
    69

    Default Re: AdminRequestSanitizer Error Log

    It turns out that the add-product handling from Edit Orders has some challenges fitting into the mold provided by the sanitizer, when attributes are involved.

    If you look, for instance, at the demo product (Big Linked/Bug's Life ...) cPath=22&products_id=34. That product has multiple attributes, including one (the Gift Options checkboxes) that presents itself as an array. Here's a dump of the $_POST information coming back from an add of that product (pre-sanitization):
    Code:
    Array
    (
        [securityToken] => 608c5b6efd7f704accd12713fa833510
        [id] => Array
            (
                [1] => Array
                    (
                        [value] => 85
                        [type] => 2
                    )
    
                [2] => Array
                    (
                        [value] => 42
                        [type] => 0
                    )
    
                [5] => Array
                    (
                        [value] => 48
                        [type] => 0
                    )
    
                [6] => Array
                    (
                        [value] => 45
                        [type] => 0
                    )
    
                [13] => Array
                    (
                        [value] => Array
                            (
                                [63] => 63
                            )
    
                        [type] => 3
                    )
    
                [10] => Array
                    (
                        [value] => Here's a line of "text"
                        [type] => 1
                    )
    
                [9] => Array
                    (
                        [value] => 
                        [type] => 1
                    )
    
                [11] => Array
                    (
                        [value] => 
                        [type] => 1
                    )
    
            )
    
        [add_product_categories_id] => 22
        [add_product_products_id] => 34
        [search] => 
        [step] => 4
    )
    So, the 'value' field of that attributes' list can be either a number, a collection of characters or an array! I'm not sure how to encode that currently; any guidance would be appreciated.

  4. #64
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    8,843
    Plugin Contributions
    69

    Default Re: AdminRequestSanitizer Error Log

    I believe I've found the way to "describe" those inputs to the sanitizer, adding the following to the Edit Orders sanitizer:
    Code:
            'id' => array (
                'sanitizerType' => 'MULTI_DIMENSIONAL',
                'method' => 'post',
                'pages' => array ('edit_orders'),
                'params' => array (
                    'id' => array ('sanitizerType' => 'CONVERT_INT'),
                    'type' => array ('sanitizerType' => 'CONVERT_INT'),
                    'value' => array ('sanitizerType' => 'PRODUCT_DESC_REGEX'),
                ),
                
            )
    @wilt or @DrByte, would you review/comment as to whether the PRODUCT_DESC_REGEX is appropriate for this structure?

  5. #65
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,879
    Blog Entries
    2
    Plugin Contributions
    2

    Default Re: AdminRequestSanitizer Error Log

    Hi,

    grrrr.

    I guess as a quick fix you could assign a NULL_ACTION to the value parameter as part of a MULTI_DIMENSIONAL sanitizer.

    Fortunately you caught me at a point where I was preparing a PR for the sanitizer due to a different regression error.

    It would be nice to have a generic sanitizer for this case, and I may work on that, but for now I will probably just look at doing an ATTRIBUTES_VALUE sanitizer.

    Watch this space :)



    Quote Originally Posted by lat9 View Post
    It turns out that the add-product handling from Edit Orders has some challenges fitting into the mold provided by the sanitizer, when attributes are involved.

    If you look, for instance, at the demo product (Big Linked/Bug's Life ...) cPath=22&products_id=34. That product has multiple attributes, including one (the Gift Options checkboxes) that presents itself as an array. Here's a dump of the $_POST information coming back from an add of that product (pre-sanitization):
    Code:
    Array
    (
        [securityToken] => 608c5b6efd7f704accd12713fa833510
        [id] => Array
            (
                [1] => Array
                    (
                        [value] => 85
                        [type] => 2
                    )
    
                [2] => Array
                    (
                        [value] => 42
                        [type] => 0
                    )
    
                [5] => Array
                    (
                        [value] => 48
                        [type] => 0
                    )
    
                [6] => Array
                    (
                        [value] => 45
                        [type] => 0
                    )
    
                [13] => Array
                    (
                        [value] => Array
                            (
                                [63] => 63
                            )
    
                        [type] => 3
                    )
    
                [10] => Array
                    (
                        [value] => Here's a line of "text"
                        [type] => 1
                    )
    
                [9] => Array
                    (
                        [value] => 
                        [type] => 1
                    )
    
                [11] => Array
                    (
                        [value] => 
                        [type] => 1
                    )
    
            )
    
        [add_product_categories_id] => 22
        [add_product_products_id] => 34
        [search] => 
        [step] => 4
    )
    So, the 'value' field of that attributes' list can be either a number, a collection of characters or an array! I'm not sure how to encode that currently; any guidance would be appreciated.

  6. #66
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,879
    Blog Entries
    2
    Plugin Contributions
    2

    Default Re: AdminRequestSanitizer Error Log

    Hi

    That does in fact seem like a cool solution, although DrByte and I were talking and think PRODUCT_NAME_DEEP_REGEX is better than PRODUCT_DESC_REGEX as it is less permissive.

    Quote Originally Posted by lat9 View Post
    I believe I've found the way to "describe" those inputs to the sanitizer, adding the following to the Edit Orders sanitizer:
    Code:
            'id' => array (
                'sanitizerType' => 'MULTI_DIMENSIONAL',
                'method' => 'post',
                'pages' => array ('edit_orders'),
                'params' => array (
                    'id' => array ('sanitizerType' => 'CONVERT_INT'),
                    'type' => array ('sanitizerType' => 'CONVERT_INT'),
                    'value' => array ('sanitizerType' => 'PRODUCT_DESC_REGEX'),
                ),
                
            )
    @wilt or @DrByte, would you review/comment as to whether the PRODUCT_DESC_REGEX is appropriate for this structure?

  7. #67
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,879
    Blog Entries
    2
    Plugin Contributions
    2

    Default Re: AdminRequestSanitizer Error Log

    HI

    On the other hand we need to consider what the TEXT attribute was meant for.

    Assume you have a T-Shirt shop where the customer can define the text that appears on the T-Shirt

    Using PRODUCT_NAME_DEEP_REGEX means the while the customer could order a t-shirt with
    <script>Some Message</script>
    using
    PRODUCT_NAME_DEEP_REGEX as a sanitizer , would mean edit_orders would reject that,

    So maybe PRODUCT_DESC_REGEX is a better option
    Quote Originally Posted by wilt View Post
    Hi

    That does in fact seem like a cool solution, although Chris and I think PRODUCT_NAME_DEEP_REGEX is better than PRODUCT_DESC_REGEX as it is less permissive.

  8. #68
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    8,843
    Plugin Contributions
    69

    Default Re: AdminRequestSanitizer Error Log

    As I posted in the EO forum, that construct I posted worked with pre-ZC1.5.5a postings of the AdminSanitizer class, but fails with the ZC1.5.5a version.

  9. #69
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    8,843
    Plugin Contributions
    69

    Default Re: AdminRequestSanitizer Error Log

    I finally got the AdminRequestSanitizer to spit out some debug (shouldn't it have been as simple as calling the setDebug function with an argument of true?). It looks like part of the issue is that EO uses the variable named "id" (just like the storefront) to hold those added-products' attributes and the built-in 'id' definition is taking precedence:
    Code:
    May-13-2016 11:51:00
    =================================
    
    Incoming GET Request Array
    (
        [page] => 1
        [oID] => 8421
        [action] => add_prdct
    )
    
    
    Incoming POST Request Array
    (
        [securityToken] => cb8ec48cbfe04dbde8aeb3dd0a4f7b34
        [id] => Array
            (
                [35] => Array
                    (
                        [value] => 2271
                        [type] => 0
                    )
    
                [48] => Array
                    (
                        [value] => 3244
                        [type] => 0
                    )
    
                [43] => Array
                    (
                        [value] => 2406
                        [type] => 0
                    )
    
                [20] => Array
                    (
                        [value] => 2259
                        [type] => 0
                    )
    
                [44] => Array
                    (
                        [value] => 
                        [type] => 1
                    )
    
            )
    
        [add_product_categories_id] => 110
        [add_product_products_id] => 287
        [search] => 
        [step] => 4
    )
    
    
    Running Admin Sanitizers
    
    PROCESSING SIMPLE_ALPHANUM_PLUS(GET) == action
    
    PROCESSING SIMPLE_ALPHANUM_PLUS(POST) == id
    
    PROCESSING SIMPLE_ALPHANUM_PLUS(GET) == oID
    
    PROCESSING SIMPLE_ALPHANUM_PLUS(GET) == page
    
    PROCESSING STRICT_SANITIZE_VALUES == securityToken
    
    PROCESSING STRICT_SANITIZE_VALUES == add_product_categories_id
    
    PROCESSING STRICT_SANITIZE_VALUES == add_product_products_id
    
    PROCESSING STRICT_SANITIZE_VALUES == search
    
    PROCESSING STRICT_SANITIZE_VALUES == step
    
    Outgoing GET Request Array
    (
        [page] => 1
        [oID] => 8421
        [action] => add_prdct
    )
    
    
    Outgoing POST Request Array
    (
        [securityToken] => cb8ec48cbfe04dbde8aeb3dd0a4f7b34
        [id] => Array
            (
                [35] => Array
                [48] => Array
                [43] => Array
                [20] => Array
                [44] => Array
            )
    
        [add_product_categories_id] => 110
        [add_product_products_id] => 287
        [search] => 
        [step] => 4
    )
    Note: I don't think it's a possibility to change that 'id' variable's name; there might be other non-EO code that's making use of that variable and I don't want to create a real train-wreck.
    Last edited by lat9; 13 May 2016 at 04:58 PM. Reason: Added note

  10. #70
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    8,843
    Plugin Contributions
    69

    Default Re: AdminRequestSanitizer Error Log

    FWIW, editing /admin/includes/init_includes/init_sanitize.php and commenting out the "built-in" processing for the id parameter (lines 81 and 172) and using the construct that I posted above appears to produce the desired results.

    Not knowing why the id parameter was added to the built-in list (twice, so it must be very important), I consider that change a work-around rather than a proper correction.

 

 
Page 7 of 8 FirstFirst ... 5678 LastLast

Similar Threads

  1. v155 [Done v155a and v155b] AdminRequestSanitizer Problem
    By JRGoold in forum Bug Reports
    Replies: 15
    Last Post: 12 Dec 2016, 01:16 PM
  2. v151 Filename cannot be empty error in error log
    By woodlandsprite in forum General Questions
    Replies: 2
    Last Post: 29 Nov 2012, 06:03 AM
  3. Site down, getting error in debug error log
    By rcrosier in forum General Questions
    Replies: 3
    Last Post: 25 Mar 2009, 03:01 PM
  4. Replies: 6
    Last Post: 7 Dec 2007, 03:42 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR