Sloppy Parsing of initvar()

Discussions and requests related to new CMSimple features, plugins, templates etc. and how to develop.
Please don't ask for support at this forums!
cmb
Posts: 11580
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Sloppy Parsing of initvar()

Postby cmb » Sun Nov 11, 2012 4:43 pm

Hello Community,

yesterday I've stumbled again across this issue with initvar(). initvar() looks for a GET or POST parameter, and sets a global variable accordingly. If neither parameter is set, it falls back to the following:

Code: Select all

$GLOBALS[$name] = @preg_replace("/.*?(" . $name . "=([^\&]*))?.*?/i", "\\2", sv('QUERY_STRING')); 

This is quite sloppy, as an arbitrary prefix of the parameter name is simply ignored. For example consider the following URL: http://www.example.com/?Name_of_the_page&myplugin_edit=whatever. When initvar('edit') is called, $edit is set to 'whatever'.

I don't see the reason for this fallback. IMO checking for $_GET and $_POST is absolutely sufficient. Or does the core or any plugin rely on this behavior? Otherwise I suggest to remove the fallback.

Christoph
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

cmb
Posts: 11580
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Sloppy Parsing of initvar()

Postby cmb » Sun Nov 11, 2012 9:46 pm

I've did some further research on this topic. The change was introduced in CMSimple 2.3 beta 4 (released before April 14th, 2004). The changelog says:
Initvar fixed to get $GET vars

I do not have the slightest clue why $_GET[...] might fail, and the workaround has to be there. Unfortunately the archived CMSimple forum is not yet available, so I can't look it up there.

Has anybody some information regarding this issue?

TIA
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

cmb
Posts: 11580
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Sloppy Parsing of initvar()

Postby cmb » Thu Dec 27, 2012 12:13 pm

cmb wrote:Unfortunately the archived CMSimple forum is not yet available, so I can't look it up there.

Luckily the archived forum is back now, and a quick search for "initvar" brought up http://forum.cmsimple-xh.dk/?f=1&t=590#p2282:
on 2004-02-03 08:17:02 harteg wrote:I've experienced problems with get parameters on at least Linux/apache PHP because of the ?nameofthepage syntax, but function initvar in 2.3 beta 4 has been modified so it works.

Obviously at least there were problems with PHP versions used back then. As I was not able to find further information about this issue, it might be better to stick with the fallback. But we should consider to make the regex more strict, so that it catches the exact variable names only.
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

manu
Posts: 610
Joined: Wed Jun 04, 2008 12:05 pm
Location: St. Gallen - Schweiz
Contact:

Re: Sloppy Parsing of initvar()

Postby manu » Thu Dec 27, 2012 6:12 pm

php Problems from 2004 which we don't exactly know about? Too bad it is not commented.
I would suggest to comment this out with "magic but no clue" and wait what happens.
Is this a backdoor? I wonder what the idea of this command line is. And the trailing question marks? no idea.

cmb
Posts: 11580
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Sloppy Parsing of initvar()

Postby cmb » Wed Jan 30, 2013 1:57 pm

Hello Community,

after removing a quick test showed up a bunch of warnings about uninitialized variables, so I changed the fallback clause to:

Code: Select all

$GLOBALS = ''; 


manu wrote:Is this a backdoor? I wonder what the idea of this command line is. And the trailing question marks? no idea.

It's definitely no backdoor. The trailing question marks (as in .*?) switch the regex to ungreedy mode, what's sometimes necessary (AFAICS not in this case, were these .*? could simply have been dropped).

Christoph
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+


Return to “Open Development”

Who is online

Users browsing this forum: No registered users and 1 guest