Page 1 of 2 12 LastLast
Results 1 to 10 of 18
  1. #1
    Join Date
    Oct 2008
    Location
    Croatia
    Posts
    1,204
    Plugin Contributions
    12

    Default $this_is_home_page fails with custom parameters

    This was just posted in ZX Slideshow thread but it seems to be a general bug.

    If you use a URL like
    Code:
    domain.com/index.php?product_info=107
    this will load the product_listing page based on product_id=107 master category. However, canonical URL will show only domain.com

    The following screenshot is from a vanilla 1.5.6c with demo products loaded.

    Click image for larger version. 

Name:	2020-05-02_012742.jpg 
Views:	11 
Size:	50.5 KB 
ID:	18970Click image for larger version. 

Name:	2020-05-02_012639.jpg 
Views:	8 
Size:	61.5 KB 
ID:	18971
    Zen Cart Point of Sale? Sure: ZX POS - v2 released
    My site - Pro ZC Help | My portfolio | My plugins

  2. #2
    Join Date
    Jan 2004
    Posts
    65,400
    Blog Entries
    7
    Plugin Contributions
    232

    Default Re: $this_is_home_page fails with custom parameters

    But ... the "index.php?product_info=107" is not a valid URL in Zen Cart

    And, unless the "main_page=product_info" is included in the URL, a default install of Zen Cart does NOT show the product listing when "?product_info=107" is specified, because "product_info=" is not a recognized parameter.

    Further, the product-listing page in a default install of Zen Cart requires not only "main_page=product_info", but also "&products_id=107"


    I think the bug in this case is whatever is generating the invalid URLs.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Oct 2008
    Location
    Croatia
    Posts
    1,204
    Plugin Contributions
    12

    Default Re: $this_is_home_page fails with custom parameters

    Quote Originally Posted by DrByte View Post
    But ... the "index.php?product_info=107" is not a valid URL in Zen Cart
    I couldn't agree more, but perhaps you'll remember when the same problem was happening with canonical URLs and I came up with some crazy ugly solution, which you then beautified and we now have
    Code:
    $rogues = array();
    in init_canonical.php (can't find that thread now).

    The problem I'm seeing here is that someone could maliciously post stupid links across the web just to harm your SEO. For example, vanilla install:
    domain.com/
    domain.com/index.php?products_id=107
    domain.com/index.php?products_id=34
    domain.com/index.php?products_id=1
    domain.com/index.php?products_id=173

    All of these will have the exact same canonical URL (home page), but completely different content - aka SEO hara-kiri.
    Zen Cart Point of Sale? Sure: ZX POS - v2 released
    My site - Pro ZC Help | My portfolio | My plugins

  4. #4
    Join Date
    Feb 2006
    Location
    Tampa Bay, Florida
    Posts
    7,182
    Plugin Contributions
    96

    Default Re: $this_is_home_page fails with custom parameters

    If you get a products_id in $_GET without a main_page, why not just set the main_page to product_info?
    That Software Guy. My Store: Zen Cart Modifications
    Available for hire - See my ad in Services
    Plugin Moderator, Documentation Curator, Chief Cook and Bottle-Washer.

  5. #5
    Join Date
    Feb 2006
    Location
    Tampa Bay, Florida
    Posts
    7,182
    Plugin Contributions
    96

    Default Re: $this_is_home_page fails with custom parameters

    You could do this in includes/init_includes/init_sanitize.php right after the zen_products_id_valid check.
    That Software Guy. My Store: Zen Cart Modifications
    Available for hire - See my ad in Services
    Plugin Moderator, Documentation Curator, Chief Cook and Bottle-Washer.

  6. #6
    Join Date
    Oct 2008
    Location
    Croatia
    Posts
    1,204
    Plugin Contributions
    12

    Default Re: $this_is_home_page fails with custom parameters

    Scott...

    B-E-autiful.

    Since it might affect everyone else, may I suggest pushing this into 1.5.7 ? Just something for you guys to consider...

    init_sanitize.php
    Code:
    <?php
    /**
     * sanitize the GET parameters
     * see {@link  http://www.zen-cart.com/wiki/index.php/Developers_API_Tutorials#InitSystem wikitutorials} for more details.
     *
     * @package initSystem
     * @copyright Copyright 2003-2019 Zen Cart Development Team
     * @copyright Portions Copyright 2003 osCommerce
     * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
     * @version $Id: DrByte 2019 Jul 16 Modified in v1.5.6c $
     * @todo move the array process to security class
     */
    
      if (!defined('IS_ADMIN_FLAG')) {
        die('Illegal Access');
      }
      $csrfBlackListLocal = array();
      $csrfBlackList = (isset($csrfBlackListCustom)) ? array_merge($csrfBlackListLocal, $csrfBlackListCustom) : $csrfBlackListLocal;
      if (! isset ( $_SESSION ['securityToken'] ))
      {
        $_SESSION ['securityToken'] = md5 ( uniqid ( rand (), true ) );
      }
      if ((isset ( $_GET ['action'] ) || isset($_POST['action']) ) && $_SERVER['REQUEST_METHOD'] == 'POST')
      {
        $mainPage = isset($_GET['main_page']) ? $_GET['main_page'] : FILENAME_DEFAULT;
        if (!in_array($mainPage, $csrfBlackList))
        {
          if ((! isset ( $_SESSION ['securityToken'] ) || ! isset ( $_POST ['securityToken'] )) || ($_SESSION ['securityToken'] !== $_POST ['securityToken']))
          {
            zen_redirect ( zen_href_link ( FILENAME_TIME_OUT, '', $request_type ) );
          }
        }
      }
      if (isset($_GET['typefilter'])) $_GET['typefilter'] = preg_replace('/[^0-9a-zA-Z_-]/', '', $_GET['typefilter']);
      if (isset($_GET['products_id'])) $_GET['products_id'] = preg_replace('/[^0-9a-f:]/', '', $_GET['products_id']);
      if (isset($_GET['manufacturers_id'])) $_GET['manufacturers_id'] = preg_replace('/[^0-9]/', '', $_GET['manufacturers_id']);
      if (isset($_GET['categories_id'])) $_GET['categories_id'] = preg_replace('/[^0-9]/', '', $_GET['categories_id']);
      if (isset($_GET['cPath'])) $_GET['cPath'] = preg_replace('/[^0-9_]/', '', $_GET['cPath']);
      if (isset($_GET['main_page'])) $_GET['main_page'] = preg_replace('/[^0-9a-zA-Z_]/', '', $_GET['main_page']);
      if (isset($_GET['sort'])) $_GET['sort'] = preg_replace('/[^0-9a-zA-Z]/', '', $_GET['sort']);
      $saniGroup1 = array('action', 'addr', 'alpha_filter_id', 'alpha_filter', 'authcapt', 'chapter', 'cID', 'currency', 'debug', 'delete', 'dfrom', 'disp_order', 'dto', 'edit', 'faq_item', 'filter_id', 'goback', 'goto', 'gv_no', 'id', 'inc_subcat', 'language', 'markflow', 'music_genre_id', 'nocache', 'notify', 'number_of_uploads', 'order_id', 'order', 'override', 'page', 'pfrom', 'pid', 'pID', 'pos', 'product_id', 'products_image_large_additional', 'products_tax_class_id', 'pto', 'record_company_id', 'referer', 'reviews_id', 'search_in_description', 'set_session_login', 'token', 'tx', 'type', 'zenid');
      foreach ($saniGroup1 as $key)
      {
        if (isset($_GET[$key]))
        {
          $_GET[$key] = preg_replace('/[^\/0-9a-zA-Z_:@.-]/', '', $_GET[$key]);
          if (isset($_REQUEST[$key])) $_REQUEST[$key] = preg_replace('/[^\/0-9a-zA-Z_:@.-]/', '', $_REQUEST[$key]);
        }
      }
    
    /**
     * process all $_GET terms
     */
      $strictReplace = '[<>\']';
      $unStrictReplace = '[<>]';
      if (isset($_GET) && count($_GET) > 0) {
        foreach($_GET as $key=>$value){
          if(is_array($value)){
            foreach($value as $key2 => $val2){
              if ($key2 == 'keyword') {
                $_GET[$key][$key2] = preg_replace('/'.$unStrictReplace.'/', '', $val2);
                if (isset($_REQUEST[$key][$key2])) $_REQUEST[$key][$key2] = preg_replace('/'.$unStrictReplace.'/', '', $val2);
              } elseif(is_array($val2)){
                  foreach($val2 as $key3 => $val3){
                      $_GET[$key][$key2][$key3] = preg_replace('/'.$strictReplace.'/', '', $val3);
                      if (isset($_REQUEST[$key][$key2][$key3])) $_REQUEST[$key][$key2][$key3] = preg_replace('/'.$strictReplace.'/', '', $val3);
                  }
              } else {
                $_GET[$key][$key2] = preg_replace('/'.$strictReplace.'/', '', $val2);
                if (isset($_REQUEST[$key][$key2])) $_REQUEST[$key][$key2] = preg_replace('/'.$strictReplace.'/', '', $val2);
              }
            }
          } else {
            if ($key == 'keyword') {
              $_GET[$key] = preg_replace('/'.$unStrictReplace.'/', '', $value);
              if (isset($_REQUEST[$key])) $_REQUEST[$key] = preg_replace('/'.$unStrictReplace.'/', '', $value);
            } else {
              $_GET[$key] = preg_replace('/'.$strictReplace.'/', '', $value);
              if (isset($_REQUEST[$key])) $_REQUEST[$key] = preg_replace('/'.$strictReplace.'/', '', $value);
            }
          }
          unset($GLOBALS[$key]);
        }
      }
    /**
     * process all $_POST terms
     * @todo move the array process to security class
     */
      if (isset($_POST) && count($_POST) > 0) {
        foreach($_POST as $key=>$value){
          if(is_array($value)){
            foreach($value as $key2 => $val2){
              unset($GLOBALS[$key]);
            }
          } else {
            unset($GLOBALS[$key]);
          }
        }
      }
    /**
     * process all $_COOKIE terms
     */
      if (isset($_COOKIE) && count($_COOKIE) > 0) {
        foreach($_COOKIE as $key=>$value){
          if(is_array($value)){
            foreach($value as $key2 => $val2){
              unset($GLOBALS[$key]);
            }
          } else {
            unset($GLOBALS[$key]);
          }
        }
      }
    /**
     * process all $_SESSION terms
     */
      if (isset($_SESSION) && count($_SESSION) > 0) {
        foreach($_SESSION as $key=>$value){
          if(is_array($value)){
            foreach($value as $key2 => $val2){
              unset($GLOBALS[$key]);
            }
          } else {
            unset($GLOBALS[$key]);
          }
        }
      }
    
    /**
     * validate products_id for search engines and bookmarks, etc.
     */
      if (isset($_GET['products_id']) && (!isset($_SESSION['check_valid']) || $_SESSION['check_valid'] != 'false')) {
        $check_valid = zen_products_id_valid($_GET['products_id']);
        if (!$check_valid) {
          $_GET['main_page'] = zen_get_info_page($_GET['products_id']);
          /**
           * do not recheck redirect
           */
          $_SESSION['check_valid'] = 'false';
          zen_redirect(zen_href_link($_GET['main_page'], 'products_id=' . $_GET['products_id']));
        }
        if(!isset($_GET['main_page'])) {
            $_GET['main_page'] = zen_get_info_page($_GET['products_id']);
            zen_redirect(zen_href_link($_GET['main_page'], 'products_id=' . $_GET['products_id']));
        }
    
      }
     
      $_SESSION['check_valid'] = 'true';
    /**
     * We do some checks here to ensure $_GET['main_page'] has a sane value
     */
      if (!isset($_GET['main_page']) || !zen_not_null($_GET['main_page'])) $_GET['main_page'] = 'index';
    
      if (!is_dir(DIR_WS_MODULES .  'pages/' . $_GET['main_page'])) {
        if (MISSING_PAGE_CHECK == 'On' || MISSING_PAGE_CHECK == 'true') {
          $_GET['main_page'] = 'index';
        } elseif (MISSING_PAGE_CHECK == 'Page Not Found') {
          header('HTTP/1.1 404 Not Found');
          $_GET['main_page'] = FILENAME_PAGE_NOT_FOUND;
        }
      }
      $current_page = $_GET['main_page'];
      $current_page_base = $current_page;
      $code_page_directory = DIR_WS_MODULES . 'pages/' . $current_page_base;
      $page_directory = $code_page_directory;
    Zen Cart Point of Sale? Sure: ZX POS - v2 released
    My site - Pro ZC Help | My portfolio | My plugins

  7. #7
    Join Date
    Feb 2006
    Location
    Tampa Bay, Florida
    Posts
    7,182
    Plugin Contributions
    96

    Default Re: $this_is_home_page fails with custom parameters

    If @drbyte approves, maybe you could create a PR? Join the fun!
    That Software Guy. My Store: Zen Cart Modifications
    Available for hire - See my ad in Services
    Plugin Moderator, Documentation Curator, Chief Cook and Bottle-Washer.

  8. #8
    Join Date
    Jan 2004
    Posts
    65,400
    Blog Entries
    7
    Plugin Contributions
    232

    Default Re: $this_is_home_page fails with custom parameters

    Code:
        if(!isset($_GET['main_page'])) {
            $_GET['main_page'] = zen_get_info_page($_GET['products_id']);
            zen_redirect(zen_href_link($_GET['main_page'], 'products_id=' . $_GET['products_id']));
        }
    I'm not sure this is correct logic. It assumes that if the main_page param is blank, that a product id is. And blindly redirects to it, even if it's blank.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  9. #9
    Join Date
    Jan 2004
    Posts
    65,400
    Blog Entries
    7
    Plugin Contributions
    232

    Default Re: $this_is_home_page fails with custom parameters

    As for the initial situation where this was encountered, I'm guessing the store was formerly using some sort of URL-rewriter? Perhaps contingencies for having changed that situation should be implemented on that store.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  10. #10
    Join Date
    Oct 2008
    Location
    Croatia
    Posts
    1,204
    Plugin Contributions
    12

    Default Re: $this_is_home_page fails with custom parameters

    Quote Originally Posted by DrByte View Post
    I'm not sure this is correct logic. It assumes that if the main_page param is blank, that a product id is. And blindly redirects to it, even if it's blank.
    Uhm, what do you mean "even if it's blank"? It can't be blank, it's inside
    Code:
      if (isset($_GET['products_id']) && (!isset($_SESSION['check_valid']) || $_SESSION['check_valid'] != 'false')) {
    Can't think of any valid situation where main_page would be blank, but products_id would exist... Maybe it's just my time to go to bed...

    It's definitely an invalid URL so we're just trying to get the best out of it.

    I have no idea if some URL rewriter was used, I only noticed potential problems with canonical URLs, otherwise would've never posted it here...
    Zen Cart Point of Sale? Sure: ZX POS - v2 released
    My site - Pro ZC Help | My portfolio | My plugins

 

 
Page 1 of 2 12 LastLast

Similar Threads

  1. v154 Custom Product add routine fails to find recorc after $db->execute
    By Doveman in forum General Questions
    Replies: 8
    Last Post: 3 Jan 2016, 08:40 PM
  2. New custom code fails to generate email
    By edkocol in forum Managing Customers and Orders
    Replies: 0
    Last Post: 30 Sep 2011, 08:22 PM
  3. $this_is_home_page
    By timdwyer42 in forum General Questions
    Replies: 11
    Last Post: 10 Mar 2011, 05:26 AM
  4. How can I call a function with parameters with a link?
    By bunro in forum All Other Contributions/Addons
    Replies: 0
    Last Post: 15 Dec 2006, 08:07 PM
  5. Custom Dynamic Extra Pages with URL parameters, GET, POST - for Define and EZ Pages
    By bjoly in forum Templates, Stylesheets, Page Layout
    Replies: 2
    Last Post: 24 Jul 2006, 04:04 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR