search

Geeklog-Core / geeklog

Geeklog - The Secure CMS.
https://www.geeklog.net
24 stars 19 forks source link

Errors from passed data from visitors with incorrect encoding #1026

Closed eSilverStrike closed 4 years ago

eSilverStrike commented 4 years ago

Noticing these type of errors in the error log file.

This particle URL

https://www.example.com/downloads/index.php?cid=8orderby=hitsApage=6%bf%27

Created this SQL error

Sat 18 Jan 2020 16:04:24 EST - ipaddresshere - 1267: Illegal mix of collations (utf8mb4_general_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '=' in /plugins/downloads/include/gltree.class.php:307. SQL in question: SELECT pid, title FROM downloadcategories WHERE cid = '8orderby=hitsApage=6¿'  
Sat 18 Jan 2020 16:04:24 EST - ipaddresshere - E_USER_ERROR(256) - An SQL error has occurred. Please see error.log for details. @ /system/databases/mysqli.class.php line 468

This is because Geeklog is using one character set and different characters are encoded in the information being passed in by a URL variable.

eSilverStrike commented 4 years ago

Fixed by @mystralkk commit d288a89ed2514e706990e0cbff6f65c5ba267c1a

mb_check_encoding accepts as the second argument all encodings Geeklog uses but Windows-1250 (slovenian), according to https://www.php.net/manual/en/mbstring.supported-encodings.php . I guess very few or no users use slovenian, so it is safe to ignore it.