$this_is_home_page fails with custom parameters

[swguy]

This actually looks right to me too - the product_id is passed in but no main page, so force going to product info.
It's a pathological situation, and this is a best guess of intent.

[mvstudio]

As for the initial situation where this was encountered, I'm guessing the store was formerly using some sort of URL-rewriter? Perhaps contingencies for having changed that situation should be implemented on that store.

To provide more info, in hopes it helps figure this out since I was the one that reported the issue, I do not have any URL-rewrite on the store.
Thank you for looking int it!

[mc12345678]

Scott...

B-E-autiful.

Since it might affect everyone else, may I suggest pushing this into 1.5.7 ? Just something for you guys to consider...

init_sanitize.php

Code:

<?php
/**
 * sanitize the GET parameters
 * see {@link  http://www.zen-cart.com/wiki/index.php/Developers_API_Tutorials#InitSystem wikitutorials} for more details.
 *
 * @package initSystem
 * @copyright Copyright 2003-2019 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: DrByte 2019 Jul 16 Modified in v1.5.6c $
 * @todo move the array process to security class
 */

  if (!defined('IS_ADMIN_FLAG')) {
    die('Illegal Access');
  }
  $csrfBlackListLocal = array();
  $csrfBlackList = (isset($csrfBlackListCustom)) ? array_merge($csrfBlackListLocal, $csrfBlackListCustom) : $csrfBlackListLocal;
  if (! isset ( $_SESSION ['securityToken'] ))
  {
    $_SESSION ['securityToken'] = md5 ( uniqid ( rand (), true ) );
  }
  if ((isset ( $_GET ['action'] ) || isset($_POST['action']) ) && $_SERVER['REQUEST_METHOD'] == 'POST')
  {
    $mainPage = isset($_GET['main_page']) ? $_GET['main_page'] : FILENAME_DEFAULT;
    if (!in_array($mainPage, $csrfBlackList))
    {
      if ((! isset ( $_SESSION ['securityToken'] ) || ! isset ( $_POST ['securityToken'] )) || ($_SESSION ['securityToken'] !== $_POST ['securityToken']))
      {
        zen_redirect ( zen_href_link ( FILENAME_TIME_OUT, '', $request_type ) );
      }
    }
  }
  if (isset($_GET['typefilter'])) $_GET['typefilter'] = preg_replace('/[^0-9a-zA-Z_-]/', '', $_GET['typefilter']);
  if (isset($_GET['products_id'])) $_GET['products_id'] = preg_replace('/[^0-9a-f:]/', '', $_GET['products_id']);
  if (isset($_GET['manufacturers_id'])) $_GET['manufacturers_id'] = preg_replace('/[^0-9]/', '', $_GET['manufacturers_id']);
  if (isset($_GET['categories_id'])) $_GET['categories_id'] = preg_replace('/[^0-9]/', '', $_GET['categories_id']);
  if (isset($_GET['cPath'])) $_GET['cPath'] = preg_replace('/[^0-9_]/', '', $_GET['cPath']);
  if (isset($_GET['main_page'])) $_GET['main_page'] = preg_replace('/[^0-9a-zA-Z_]/', '', $_GET['main_page']);
  if (isset($_GET['sort'])) $_GET['sort'] = preg_replace('/[^0-9a-zA-Z]/', '', $_GET['sort']);
  $saniGroup1 = array('action', 'addr', 'alpha_filter_id', 'alpha_filter', 'authcapt', 'chapter', 'cID', 'currency', 'debug', 'delete', 'dfrom', 'disp_order', 'dto', 'edit', 'faq_item', 'filter_id', 'goback', 'goto', 'gv_no', 'id', 'inc_subcat', 'language', 'markflow', 'music_genre_id', 'nocache', 'notify', 'number_of_uploads', 'order_id', 'order', 'override', 'page', 'pfrom', 'pid', 'pID', 'pos', 'product_id', 'products_image_large_additional', 'products_tax_class_id', 'pto', 'record_company_id', 'referer', 'reviews_id', 'search_in_description', 'set_session_login', 'token', 'tx', 'type', 'zenid');
  foreach ($saniGroup1 as $key)
  {
    if (isset($_GET[$key]))
    {
      $_GET[$key] = preg_replace('/[^\/0-9a-zA-Z_:@.-]/', '', $_GET[$key]);
      if (isset($_REQUEST[$key])) $_REQUEST[$key] = preg_replace('/[^\/0-9a-zA-Z_:@.-]/', '', $_REQUEST[$key]);
    }
  }

/**
 * process all $_GET terms
 */
  $strictReplace = '[<>\']';
  $unStrictReplace = '[<>]';
  if (isset($_GET) && count($_GET) > 0) {
    foreach($_GET as $key=>$value){
      if(is_array($value)){
        foreach($value as $key2 => $val2){
          if ($key2 == 'keyword') {
            $_GET[$key][$key2] = preg_replace('/'.$unStrictReplace.'/', '', $val2);
            if (isset($_REQUEST[$key][$key2])) $_REQUEST[$key][$key2] = preg_replace('/'.$unStrictReplace.'/', '', $val2);
          } elseif(is_array($val2)){
              foreach($val2 as $key3 => $val3){
                  $_GET[$key][$key2][$key3] = preg_replace('/'.$strictReplace.'/', '', $val3);
                  if (isset($_REQUEST[$key][$key2][$key3])) $_REQUEST[$key][$key2][$key3] = preg_replace('/'.$strictReplace.'/', '', $val3);
              }
          } else {
            $_GET[$key][$key2] = preg_replace('/'.$strictReplace.'/', '', $val2);
            if (isset($_REQUEST[$key][$key2])) $_REQUEST[$key][$key2] = preg_replace('/'.$strictReplace.'/', '', $val2);
          }
        }
      } else {
        if ($key == 'keyword') {
          $_GET[$key] = preg_replace('/'.$unStrictReplace.'/', '', $value);
          if (isset($_REQUEST[$key])) $_REQUEST[$key] = preg_replace('/'.$unStrictReplace.'/', '', $value);
        } else {
          $_GET[$key] = preg_replace('/'.$strictReplace.'/', '', $value);
          if (isset($_REQUEST[$key])) $_REQUEST[$key] = preg_replace('/'.$strictReplace.'/', '', $value);
        }
      }
      unset($GLOBALS[$key]);
    }
  }
/**
 * process all $_POST terms
 * @todo move the array process to security class
 */
  if (isset($_POST) && count($_POST) > 0) {
    foreach($_POST as $key=>$value){
      if(is_array($value)){
        foreach($value as $key2 => $val2){
          unset($GLOBALS[$key]);
        }
      } else {
        unset($GLOBALS[$key]);
      }
    }
  }
/**
 * process all $_COOKIE terms
 */
  if (isset($_COOKIE) && count($_COOKIE) > 0) {
    foreach($_COOKIE as $key=>$value){
      if(is_array($value)){
        foreach($value as $key2 => $val2){
          unset($GLOBALS[$key]);
        }
      } else {
        unset($GLOBALS[$key]);
      }
    }
  }
/**
 * process all $_SESSION terms
 */
  if (isset($_SESSION) && count($_SESSION) > 0) {
    foreach($_SESSION as $key=>$value){
      if(is_array($value)){
        foreach($value as $key2 => $val2){
          unset($GLOBALS[$key]);
        }
      } else {
        unset($GLOBALS[$key]);
      }
    }
  }

/**
 * validate products_id for search engines and bookmarks, etc.
 */
  if (isset($_GET['products_id']) && (!isset($_SESSION['check_valid']) || $_SESSION['check_valid'] != 'false')) {
    $check_valid = zen_products_id_valid($_GET['products_id']);
    if (!$check_valid) {
      $_GET['main_page'] = zen_get_info_page($_GET['products_id']);
      /**
       * do not recheck redirect
       */
      $_SESSION['check_valid'] = 'false';
      zen_redirect(zen_href_link($_GET['main_page'], 'products_id=' . $_GET['products_id']));
    }
    if(!isset($_GET['main_page'])) {
        $_GET['main_page'] = zen_get_info_page($_GET['products_id']);
        /**
         * do not recheck redirect
         */
        $_SESSION['check_valid'] = 'false';
        zen_redirect(zen_href_link($_GET['main_page'], 'products_id=' . $_GET['products_id']));
    }

  }
 
  $_SESSION['check_valid'] = 'true';
/**
 * We do some checks here to ensure $_GET['main_page'] has a sane value
 */
  if (!isset($_GET['main_page']) || !zen_not_null($_GET['main_page'])) $_GET['main_page'] = 'index';

  if (!is_dir(DIR_WS_MODULES .  'pages/' . $_GET['main_page'])) {
    if (MISSING_PAGE_CHECK == 'On' || MISSING_PAGE_CHECK == 'true') {
      $_GET['main_page'] = 'index';
    } elseif (MISSING_PAGE_CHECK == 'Page Not Found') {
      header('HTTP/1.1 404 Not Found');
      $_GET['main_page'] = FILENAME_PAGE_NOT_FOUND;
    }
  }
  $current_page = $_GET['main_page'];
  $current_page_base = $current_page;
  $code_page_directory = DIR_WS_MODULES . 'pages/' . $current_page_base;
  $page_directory = $code_page_directory;

Shouldn't that new test either be combined with the one before or add the session variable to be set as false like the previous test? The product already checked as valid based on products_id but didn't necessarily check out based on main_page. But it will check out on main_page because it did based on products_id. Therefore none of this test should be done again after redirect, correct?

[mvstudio]

I made the change suggested and here is what I found. The change caused the ajax-loader from dynamic price updater to go off in a constant loop refreshing the product price over and over again, nonstop. I removed the change. Any ideas why DPU would behave like that? Thanks for looking into it.

[swguy]

PR has been created:
https://github.com/zencart/zencart/pull/3453

[mvstudio]

PR has been created:
https://github.com/zencart/zencart/pull/3453

Thank you. So I made the change suggested, and the product pages won't stop refreshing in an endless loop. I turned off Dynamic Price Updater and the issue stopped. The modification is somehow conflicting with DPU.

[mc12345678]

I made the change suggested and here is what I found. The change caused the ajax-loader from dynamic price updater to go off in a constant loop refreshing the product price over and over again, nonstop. I removed the change. Any ideas why DPU would behave like that? Thanks for looking into it.

Thank you. So I made the change suggested, and the product pages won't stop refreshing in an endless loop. I turned off Dynamic Price Updater and the issue stopped. The modification is somehow conflicting with DPU.

Yes, I know what the issue is, the question is how to address it...

So here's the issue: the uri to reach the Ajax query has products_id in it, without a main_page parameter... So one asks, yeah, and? As a result when the Ajax code is executed, it also loads the ZC initialization scripts and as a result of the path having products_id without a main_page, it adds it and redirects...

So, a couple of fixes possible:
Add the main_page parameter (which at one point in writing the code was presumed to be present by call to zen_get_all_get_params)
Or
Remove products_id from the parameter list.

I'm beginning to consider the latter, though one of the reasons it was added was so that a user's change in option selection might have an opportunity to be presented in the who's online tool if/when a few other things were worked out... to support that though (again) need to modify the class code because it is looking for products_id to be in tha parameters which is not the case if it is removed.

I would have had more up about this perhaps yesterday, but I had an issue with ZC 1.5.7(ish) on php 7.4 and also have one or two other modules that had the same characteristic of products_id in the parameters without a main_page which I had to chase down. Anyways, I'm trying to come up with a solution where products_id is not in the address and the overall desired functionality is maintained... if want the other solution (keeping it) I can post that fix as well...

[mc12345678]

See/try the following solution: https://github.com/mc12345678/Dynami.../pull/22/files

What it does is to remove the products_id parameter from the web address when activating the ajax request, but then adds the information to the who's online information so that the information shared is more than just the request to the ajax code, but instead actually shows the product information (and the ajax request).

Ideally with this configuration there should not be random indexing attempts to each and every such web address (which effectively is the same one for each product) and when reviewing site activity should be able to tell at which product they are looking with whatever other information is put together.