Operator sees network timeout, new users don't show up in list, error.log gets swamped.

[jmechnich]

Environment

• Mibew Messenger version: 3.4.3
• OS: Debian 11
• Web server: apache 2.4.51-1~deb11u1
• PHP: php 7.4.25-1+deb11u1
• PHP extensions: PDO/7.4.25 pdo_mysql/7.4.25 gd/7.4.25 curl/7.4.25 mbstring/7.4.25
• MySQL: mariaDB 1:10.5.12-0+deb11u1

Excerpt from apache error.log

...
[Wed Dec 01 11:51:22.791813 2021] [php7:notice] [pid 3150535] [client REDACTED:40168] PHP Notice:  Undefined index: HTTP_USER_AGENT in /var/www/mibew/libs/chat.php on line 630
[Wed Dec 01 11:51:22.910655 2021] [php7:error] [pid 3149868] [client REDACTED:53801] PHP Fatal error:  Uncaught TypeError: Argument 1 passed to UAParser\\Parser::parse() must be of the type string, null given, called in /var/www/mibew/libs/userinfo.php on line 31 and defined in /var/www/mibew/vendor/ua-parser/uap-php/src/Parser.php:37
Stack trace:
#0 /var/www/mibew/libs/userinfo.php(31): UAParser\\Parser->parse()
#1 /var/www/mibew/libs/classes/Mibew/RequestProcessor/UsersProcessor.php(318): get_user_agent_version()
#2 /var/www/mibew/libs/classes/Mibew/RequestProcessor/AbstractProcessor.php(553): Mibew\\RequestProcessor\\UsersProcessor->apiUpdateThreads()
#3 /var/www/mibew/libs/classes/Mibew/RequestProcessor/AbstractProcessor.php(454): Mibew\\RequestProcessor\\AbstractProcessor->processorCall()
#4 /var/www/mibew/libs/classes/Mibew/RequestProcessor/AbstractProcessor.php(421): Mibew\\RequestProcessor\\AbstractProcessor->processFunction()
#5 /var/www/mibew/libs/classes/Mibew/RequestProcessor/AbstractProcessor.php(216): Mibew\\RequestProcessor\\AbstractProcessor->processRequest()
#6 /var/www/mibew/libs/classes/Mibew/Controll in /var/www/mibew/vendor/ua-parser/uap-php/src/Parser.php on line 37, referer: https://REDACTED/mibew/operator/users?nomenu=1
[continuous loop of the previous error]

Additional notes

The issue occurred a few days after an apache and PHP security update. My suspicion is that null is no longer automatically converted to an empty string if appropriate. In our case, the HTTP_USER_AGENT was not set by a connecting client, which led to a broken session logging fatal errors.

Workaround

Our temporary fix was to set the user agent explicitly to the empty string if it was null here.

Proposed fix

In my fork, I have introduced checks wherever HTTP_USER_AGENT is retrieved from the _SERVER array.

[faf]

Though actual version of Mibew is 3.5.3, this issue could be reproduced. So, it's a bug. :)