Page 1 of 2 12 LastLast
Results 1 to 10 of 16
  1. #1
    Join Date
    May 2016
    Location
    St. John's NL Canada
    Posts
    28
    Plugin Contributions
    0

    Default [Done v155a and v155b] AdminRequestSanitizer Problem

    Problem is occurring with ZC 1.5.4 and 1.5.5a (skipped 1.5.5).
    The base Zen Cart is heavily modified; however, this problem is only showing up for one aspect: Reviews. Specifically, my version of .../admin/includes/backend/reviews.php (NB my admin directory is called backend).

    The error log shows:
    Code:
    [30-May-2016 21:33:39 America/Detroit] Request URI: /backend/reviews.php?page=16&rID=498&action=preview, IP address: 47.55.233.182
    #1  AdminRequestSanitizer->filterProductNameDeepRegex()
    #2  call_user_func() called at [/home/amistad/public_html/backend/includes/classes/AdminRequestSanitizer.php:290]
    #3  AdminRequestSanitizer->processBuiltIn() called at [/home/amistad/public_html/backend/includes/classes/AdminRequestSanitizer.php:201]
    #4  AdminRequestSanitizer->runSpecificSanitizer() called at [/home/amistad/public_html/backend/includes/classes/AdminRequestSanitizer.php:180]
    #5  AdminRequestSanitizer->runSanitizers() called at [/home/amistad/public_html/backend/includes/init_includes/init_sanitize.php:232]
    #6  require(/home/amistad/public_html/backend/includes/init_includes/init_sanitize.php) called at [/home/amistad/public_html/includes/autoload_func.php:48]
    #7  require(/home/amistad/public_html/includes/autoload_func.php) called at [/home/amistad/public_html/backend/includes/application_top.php:171]
    #8  require_once(/home/amistad/public_html/backend/includes/application_top.php) called at [/home/amistad/public_html/backend/reviews.php:37]
    
    [30-May-2016 21:33:39 America/Detroit] PHP Warning:  Invalid argument supplied for foreach() in /home/amistad/public_html/backend/includes/classes/AdminRequestSanitizer.php on line 565
    Server information (screen-shot) is attached. Oh, this is the test site (1.5.5a) the live site is on 1.5.4.

    Despite this, the code does do what it is supposed to do. It supports creating reviews and editing reviews. An additional "status" (numeric) is supported and an additional column for reviews (review_type).

    I am not sure how to determine which field is causing the problem. Suggestions as to how to track this down would be appreciated. Currently I'm going to continue with other testing (and perhaps turn of sanitizing while doing that testing, to avoid sifting through the logs for other problems).

    JRG
    Attached Images Attached Images  
    Last edited by JRGoold; 31 May 2016 at 03:23 AM. Reason: typo.

  2. #2
    Join Date
    Aug 2005
    Location
    Arizona
    Posts
    27,828
    Plugin Contributions
    9

    Default Re: AdminRequestSanitizer Problem

    Zen-Venom Get Bitten

  3. #3
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    8,949
    Plugin Contributions
    71

    Default Re: AdminRequestSanitizer Problem

    Does your reviews.php, by chance, make use of an array of $_POST variables? What are the names of the $_POST variables that the plugin uses?

  4. #4
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,879
    Blog Entries
    2
    Plugin Contributions
    2

    Default Re: AdminRequestSanitizer Problem

    Hi all

    This is in fact a problem with core code, and not really related to any plugins.

    The reviews code passes a 'products_name' hidden field which in this context is a string.
    However in general 'products_name' is expected to be an array (e.g. to account for language translations)
    Hence the sanitizer complaining it's not an array.

    Will push a fix up shortly

  5. #5
    Join Date
    May 2016
    Location
    St. John's NL Canada
    Posts
    28
    Plugin Contributions
    0

    Default Re: AdminRequestSanitizer Problem

    Quote Originally Posted by kobra View Post
    I found your referenced thread after I had posted. The documentation link it has (http://docs.zen-cart.com/Developer_D...n_sanitization) is particularly helpful as it is the only real documentation I've been able to find on “admin sanitizing”.

    Thanks for trying to help — appreciated. More in my reply to the next response.

  6. #6
    Join Date
    May 2016
    Location
    St. John's NL Canada
    Posts
    28
    Plugin Contributions
    0

    Default Re: AdminRequestSanitizer Problem

    Hello Wilt,

    I discovered the Admin Sanitizer documentation http://docs.zen-cart.com/Developer_D...n_sanitization. That allowed me to turn on sanitizer debugging messages. I matched the date-time stamp of one of the error logs to one for a debug message.

    You undoubtedly have found the real problem. I did notice, however, that in the debug message, the admin sanitizer has changed the value of the "type_name" variable (stripping out spaces and a slash — but leaving a dash). This can be seen in the posted sanitizer debug message.

    This is only a problem because I display the type_name. I created additional product types as the subject site deals exclusively in downloadable products: e-books and software (which can be thought of as “interactive e-books”). I am going to resolve this problem by making sure the type_name is a single word (I'll manually change the database to accomplish this).

    I am looking forward to a fix.

    Oh, turning off "strict sanitizing" doesn’t stop the sanitize error messages, which I am sure you know.

    A question, if I may: It seems to me, on reflection, that the Admin Sanitizer documentation implies I should set up data files in /admin/includes/extra_datafiles/ (for me, /backend/…) to define how the Admin Sanitizer should handle any additional GET or POST fields I have added to the Admin core. It doesn’t indicate how the file names should be formed. Could you tell me please? And whether they are necessary (i.e. advised for good security)?

  7. #7
    Join Date
    May 2016
    Location
    St. John's NL Canada
    Posts
    28
    Plugin Contributions
    0

    Default Re: AdminRequestSanitizer Problem

    It wasn’t necessary to manual change the database. Instead, in Admin, Catalog—>Product Types

    Wilt: Sorry, I didn’t realize I hadn't posted the sanitizer log. If you want it, I can reproduce it.
    Last edited by JRGoold; 31 May 2016 at 05:44 PM. Reason: Forgot Sanitizer log.

  8. #8
    Join Date
    Jan 2004
    Posts
    65,286
    Blog Entries
    7
    Plugin Contributions
    227

    Default Re: AdminRequestSanitizer Problem

    Quote Originally Posted by wilt View Post
    Hi all

    This is in fact a problem with core code, and not really related to any plugins.

    The reviews code passes a 'products_name' hidden field which in this context is a string.
    However in general 'products_name' is expected to be an array (e.g. to account for language translations)
    Hence the sanitizer complaining it's not an array.

    Will push a fix up shortly
    Wilt's fix is the 3 files mentioned here: https://www.zen-cart.com/showthread....33#post1312333
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  9. #9
    Join Date
    May 2016
    Location
    St. John's NL Canada
    Posts
    28
    Plugin Contributions
    0

    Default Re: AdminRequestSanitizer Problem

    Thank you for the link. I shall apply the fixes to both the live and test sites.

  10. #10
    Join Date
    Jun 2005
    Location
    Hertfordshire, UK
    Posts
    10,286
    Plugin Contributions
    3

    Default Re: AdminRequestSanitizer Problem

    I need to enclose some text in html tags, in the Option Names Comments field, but when I put the tags in, it is not sanitizing and converts the < to &lt; , and the > to &gt; . I have to then go into the database and change them back to < and > so that they do not render as &lt; and &gt; in-screen.

    eg: <hr /> becomes &lt;hr /&gt;

    How do I fix this?
    Last edited by schoolboy; 11 Dec 2016 at 12:57 AM.
    We host with Terranetwork.

 

 
Page 1 of 2 12 LastLast

Similar Threads

  1. [Done v155b] MasterCard 2-series BIN
    By jackie.taferner in forum Bug Reports
    Replies: 10
    Last Post: 9 Apr 2017, 09:34 PM
  2. v155 [Done v155b] Fax number on tpl_account_edit_default.php
    By istilah in forum Bug Reports
    Replies: 1
    Last Post: 12 Oct 2016, 01:36 AM
  3. Replies: 1
    Last Post: 12 Oct 2016, 01:22 AM
  4. v155 [Done v155b] admin css selector language-dependent
    By torvista in forum Bug Reports
    Replies: 1
    Last Post: 12 Oct 2016, 01:19 AM
  5. v155 [Done v155b] AJAX: Session-variable changes not saved
    By lat9 in forum Bug Reports
    Replies: 5
    Last Post: 18 Aug 2016, 12:20 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR