[Done v1.5.5f] zen_post_all_get_params throws warnings on $_GET array variables

[lat9]

Doing a regular "log inspection" on a client's site and came across a bunch of logs complaining that:

Code:

PHP Warning:  trim() expects parameter 1 to be string, array given in xxxx\includes\functions\functions_general.php

I've modeled the issue in a local test site, with the following log as confirmation:

Code:

[10-Aug-2017 12:09:20 America/New_York] Request URI: /xxx/index.php?selskin=..%2Finc%2Fboxleft.inc%00&xposbox[L][]=%2Fetc%2Fpasswd%00, IP address: ::1
#1  trim() called at [C:\xampp\htdocs\xxx\includes\functions\functions_general.php:62]
#2  zen_parse_input_field_data() called at [C:\xampp\htdocs\xxx\includes\functions\functions_general.php:76]
#3  zen_output_string() called at [C:\xampp\htdocs\xxx\includes\functions\html_output.php:469]
#4  zen_draw_hidden_field() called at [C:\xampp\htdocs\xxx\includes\functions\functions_general.php:193]
#5  zen_post_all_get_params() called at [C:\xampp\htdocs\xxx\includes\modules\sideboxes\currencies.php:29]
#6  require(C:\xampp\htdocs\xxx\includes\modules\sideboxes\currencies.php) called at [C:\xampp\htdocs\xxx\includes\modules\column_right.php:32]
#7  require(C:\xampp\htdocs\xxx\includes\modules\column_right.php) called at [C:\xampp\htdocs\xxx\includes\templates\my_template\common\tpl_main_page.php:184]
#8  require(C:\xampp\htdocs\xxx\includes\templates\my_template\common\tpl_main_page.php) called at [C:\xampp\htdocs\xxx\index.php:97]

[10-Aug-2017 12:09:20 America/New_York] PHP Warning:  trim() expects parameter 1 to be string, array given in C:\xampp\htdocs\xxx\includes\functions\functions_general.php on line 62

The issue appears to start with zen_post_all_get_params not recognizing $_GET variables that are arrays (the zen_get_all_get_params does have such recognition).

[DrByte]

[10-Aug-2017 12:09:20 America/New_York] Request URI: /xxx/index.php?selskin=..%2Finc%2Fboxleft.inc%00&xposbox[L][]=%2Fetc%2Fpasswd%00, IP address: ::1

I'm a bit worried that you're modeling it by doing hack attempts...

[lat9]

I'm a bit worried that you're modeling it by doing hack attempts...

Well, it was the result of a SecurityMetrics scan that caused the issues.

[DrByte]

Fair. Good to know that it's not occurring in "real world" normal operations.

[DrByte]

I think the fix is as simple as adding these couple lines: Ignore sub-arrays in zen_get/post_all_get_params

[lat9]

I was going to suggest something along those lines; there shouldn't be any $_GET array-variables anymore ... should there?

[carlwhat]

I think the fix is as simple as adding these couple lines: Ignore sub-arrays in zen_get/post_all_get_params

i think this is an EXCELLENT idea....

[lat9]

I was going to suggest something along those lines; there shouldn't be any $_GET array-variables anymore ... should there?

After further thought, if there shouldn't be any $_GET array-variables ... shouldn't those all be "sanitized" out by /includes/init_sanitize.php? That way, all other processing will also benefit from the removal.