Admin Sanitize Blocking Custom Function

**bumba000** · 4 Jan 2018, 08:10 PM

Hi All,
Running 1.5.5e on PHP7. I have a custom module that allows uploading a PDF from the admin which also adds a database record. This is for product manual and such. It's worked for years and years, but now in 1.5.5 I get a redirect to the admin home page. So I added a file in admin/includes/init_includes with

define('DO_DEBUG_SANITIZATION', 'true');

here's what I get

Code:

Jan-04-2018 07:07:37
=================================

Incoming GET Request Array
(
    [pId] => 5926
    [action] => upload_the_file
)


Incoming POST Request Array
(
)


Running Admin Sanitizers

PROCESSING SIMPLE_ALPHANUM_PLUS(GET) == action

PROCESSING SIMPLE_ALPHANUM_PLUS(GET) == pId

Outgoing GET Request Array
(
    [pId] => 5926
    [action] => upload_the_file
)


Outgoing POST Request Array
(
)


Jan-04-2018 07:07:37
=================================

Incoming GET Request Array
(
)


Incoming POST Request Array
(
)


Running Admin Sanitizers

Outgoing GET Request Array
(
)


Outgoing POST Request Array
(
)

To the admin/includes/init_includes/init_sanitize.php I've added 'pId' to the $group array for
$sanitizer->addSimpleSanitization('SIMPLE_ALPHANUM_PLUS', $group);

What am I missing here?

Thank You,
John

**mc12345678** · 4 Jan 2018, 08:59 PM

Originally Posted by bumba000

Hi All,
Running 1.5.5e on PHP7. I have a custom module that allows uploading a PDF from the admin which also adds a database record. This is for product manual and such. It's worked for years and years, but now in 1.5.5 I get a redirect to the admin home page. So I added a file in admin/includes/init_includes with

define('DO_DEBUG_SANITIZATION', 'true');

here's what I get

Code:

Jan-04-2018 07:07:37
=================================

Incoming GET Request Array
(
    [pId] => 5926
    [action] => upload_the_file
)


Incoming POST Request Array
(
)


Running Admin Sanitizers

PROCESSING SIMPLE_ALPHANUM_PLUS(GET) == action

PROCESSING SIMPLE_ALPHANUM_PLUS(GET) == pId

Outgoing GET Request Array
(
    [pId] => 5926
    [action] => upload_the_file
)


Outgoing POST Request Array
(
)


Jan-04-2018 07:07:37
=================================

Incoming GET Request Array
(
)


Incoming POST Request Array
(
)


Running Admin Sanitizers

Outgoing GET Request Array
(
)


Outgoing POST Request Array
(
)

To the admin/includes/init_includes/init_sanitize.php I've added 'pId' to the $group array for
$sanitizer->addSimpleSanitization('SIMPLE_ALPHANUM_PLUS', $group);

What am I missing here?

Thank You,
John

There does not appear to be anything that is being sanitized from the sanitizer perspective. What is provided in is coming out... But, in the discussion, you elude to a few things which need to be explained or addressed before able to provide the correct assistance.
Worked for years and years: on what Version of ZC or what has changed to make it stop in the two years that a version of ZC 1.5.5 has been out?

Technically, if had been also keeping up with the ZC announcements, the sanitizer files should have already been applied to any 1.5.x site as part of one's continued maintenance and security operations. So, if there was a sanitizer rule necessary "before" it would remain the same now.

Not seeing that any data is posted nor sufficient information applied to as a GET parameter related to whatever file is being uploaded. That is likely due to differences of underlying ZC software and the version for which this additional code was written.

At this time based on the provided log file, the sanitizer class first applied to ZC 1.5.5 has nothing to do with the issue experienced.

**bumba000** · 4 Jan 2018, 09:26 PM

Hey MC,
It worked on 1.3.9 and 1.5.1.

Thank You, John

**mc12345678** · 4 Jan 2018, 09:35 PM

Originally Posted by bumba000

Hey MC,
It worked on 1.3.9 and 1.5.1.

Thank You, John

If willing to provide the code could figure out what it is doing that results in not doing the upload/update. It more than likely is a result of some other architectural change in ZC, but there really isn't enough information made available yet.

Admin related modification that touches the database and apparently transfers a file (probably doesn't load the upload class correctly now that I think about it. In ZC 1.5.5 it got moved to the catalog side of operation and I thought there were some other changes made to it as well which could affect this mod.)

**bumba000** · 4 Jan 2018, 09:38 PM

I found the problem. I had not changed a couple of the mysql_query statements to $db->Execute...

Sorry about that. Thank You!

John

**bumba000** · 4 Jan 2018, 09:52 PM

There was also an issue with the file size.

Thanks again,
John

**mc12345678** · 4 Jan 2018, 10:40 PM

No problem... Though threw me for a loop that I had received the code in its entirety and then when coming back here find it wasn't present. :) Thought I had lost my mind. :)

That was at least one of the areas that I was going to suggest adjusting (mysql_ to $db->) though there could have been some underlying reason to use that style of code which would just have to be modified/updated anyways.

Glad to have helped even if a little.