BOM

[cmb]

Hello Developers,

a while ago we had several reports, that login to CMSimple_XH was not possible anymore. This was caused by a BOM, which was written to cmsimple/config.php after editing with a text editor.

As since CMSimple_XH 1.5 the ouput is buffered and final_clean_up() is called, this routine could easily remove any BOM from the output by changing cmsimple/cms.php line 465 to:

Code: Select all

    return str_replace("\xEF\xBB\xBF", '', $html); 

Additionally the start of the output buffering on line 397 has to be moved further up, say to line 67.

This way the supporters in the forum and the wiki documentors wouldn't have to constantly stress "convert to UTF-8 without BOM". Or would it be better not to silently suppress the BOMs?

Christoph

[cmb]

I've thought again about filtering out the BOM in final_clean_up(). I'm not sure, if it's a good idea, for performance reasons. A faster solution would be to check for headers_sent() immediately before cmsimple/cms.php line 394:

Code: Select all

if (headers_sent($temp['file'], $temp['line'])) {
    echo "Headers were sent to early! (file: $temp[file], line: $temp[line])";
    exit;
}
 

[cmb]

I've chosen the latter solution for now (r208).

Any objections?

[cmb]

Hello Community,

I've chosen the latter solution for now (r208).

Perhaps not the best decision with regard to the necessity to make changes to config.php for the upgrade to CMSimple_XH 1.5.4

Christoph

[cmb]

Hello Community,

somebody (svasti?) noted in the roadmap regarding this issue:

Seems some additional clarification is necessary

Some general explanations about the BOM are given in the XH wiki. I'll try to elaborate on this specific issue, getting more into the details, what seems to be appropriate for this forum (OD)--but I'll still try to keep it simple--the exact details can be found in the HTTP specs.

• The BOM of an UTF-8 encoded file is actually a sequence of 3 bytes at its beginning: "\xEF\xBB\xBF". These bytes are typically not shown by a text editor, but one can see them in a hex editor.
• If a PHP file is processed (it doesn't matter if it's browsed directly, or included from another file) everything outside of <?php ... ?> is sent to the client (i.e. browser) directly [1] as part of the body of the HTTP response.
• As soon as only one octet (i.e. byte) of the body of the HTTP response was sent, no further HTTP response headers can be set via header(); they will simply be ignored.
• The HTTP response headers contain vital information for the client (i.e. browser), besides others the cookies.

Now consider that config.php has a BOM (this can easily be reproduced by saving config.php with Windows Notepad as UTF-8). When config.php is included by cms.php, the three bytes which consitute the BOM are sent to the browser as part of the HTTP response body. When after the inclusion of config.php the login.php gets included it sets the appropriate headers for the login credentials as cookies. But these headers can't be sent, as the HTTP response body already has "started". IOW: when config.php contains a BOM, successful login is impossible.

There are three possibilities to handle this:

1. simply ignore it, because no CMSimple_XH PHP file has to have a BOM (this was done before CMSimple_XH 1.5.4)
2. send a message to the client, that some headers couldn't be sent (current solution)
3. filter out the BOM, so that it's never sent to the client in the first place

(1) is a simple, fast and pragmatic solution, quite suitable for CMSimple: just assume everything is alright, and fail otherwise. (2) is still quite simple and fast, but gives at least an explicit hint that something is wrong (even if the message might not be very helpful for end-users, though). (3) will effectively ignore any BOM, which is very convenient, but it has a price: the output buffering has to be started very early in cms.php. This will result in requests to ?download=... to be buffered, which will increase the memory footprint of these request (it might not be possible to deliver very large files, as the memory_limit might be exceeded). And for all request, this will mean, that the complete HTTP response body has to be searched for BOMs (and removing them). Particularly the latter might be a measurable performance penalty (this has to be measured and confirmed, though).

Due to the lack of any representative benchmarks I waver between (2) and (3), but I tend to (2) with the reason, that slowing down the system because of potentially erroneous file encodings, seems not very CMSimple-like.

And to be honest: I don't like the current output buffering at all. As it is now, it's not necessary at all. And I'm not convinced that the possible use cases could pay off, though this have to be measured--not guessed!

[1] The only exception is a single line break directly after the closing ?>

Christoph

[manu]

For [2] could we trigger a user defined error? The outcome could be handled by ./downloads/_XHdebug.txt.
regards manu

[Holger]

Hi,

I tent to (1) , but of course I'm fine with (2).

For [2] could we trigger a user defined error? The outcome could be handled by ./downloads/_XHdebug.txt.

Yep. That's a good idea IMO.

KR
Holger

[cmb]

Hi manu, hi Holger,

I tent to (1)

For [2] could we trigger a user defined error? The outcome could be handled by ./downloads/_XHdebug.txt.

When we changed the default password to some crytic string in CMSimple_XH 1.5.1, we received several reports of users who were not able to login. This was probably caused by a BOM in the manually edited config.php. In this case a warning would have been triggered by PHP already (caused by the filebrowser, which tries to start a session):

session_start() [function.session-start]: Cannot send session cache limiter - headers already sent ...

But none (?) of the users reported this, as the debug mode probably was disabled. Enabling the debug mode by default is probably not the best idea, as several plugins trigger many notices and even warnings, which might distract the user. [2]

When we trigger a user error, this will not do much more than duplicate the warning already triggered by the filebrowser.

Since XH 1.5.4 there will be shown a CMSimple error message anyway: "Please enable Cookies", but this is rather misleading.

BTW: there is actually a fourth possibility to handle the BOM: lift the requirements to PHP 5.4 [1], as since this version BOM are ignored by PHP.

[1] Just kidding.
[2] But wait! Debug mode 1 only reports ERRORS and USER_WARNINGS. We might consider to enable this debug level by default. And perhaps we should suppress the "Notice: debug mode is enabled" in this case.

Christoph

[Tata]

[2] But wait! Debug mode 1 only reports ERRORS and USER_WARNINGS. We might consider to enable this debug level by default. And perhaps we should suppress the "Notice: debug mode is enabled" in this case.

That seems to be the best idea so far.