search

gWorldz / get-simple-cms

Automatically exported from code.google.com/p/get-simple-cms
GNU General Public License v3.0
0 stars 0 forks source link

Issue with PHP 5.3, possibly due to magic quotes. #52

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Issue raised on the forum, will need more looking into:

http://get-simple.info/forum/viewtopic.php?pid=4339#p4339

It might make GetSimple useless on future PHP versions so I’m flagging this
with a high prioirty status. Fixing before 2.02 would be best. I’ll do some
research with PHP 5.3 later today.

Original issue reported on code.google.com by martijn.personal@gmail.com on 27 Apr 2010 at 7:09

GoogleCodeExporter commented 9 years ago 
Thanks Martijn. Hopefully you find the culprit

Original comment by ccagle8 on 28 Apr 2010 at 10:29

GoogleCodeExporter commented 9 years ago 
You can see my analysis on this problem :
http://get-simple.info/forum/viewtopic.php?pid=4339#p4355

Moreover, I didn't find any use of magic quotes in the project...

Original comment by spila...@gmail.com on 28 Apr 2010 at 2:28

GoogleCodeExporter commented 9 years ago 
A possible fix:
http://get-simple.info/forum/viewtopic.php?pid=4649#p4649

Original comment by carnav on 17 May 2010 at 7:46

GoogleCodeExporter commented 9 years ago

Original comment by martijn.personal@gmail.com on 2 Jun 2010 at 7:56

GoogleCodeExporter commented 9 years ago 
I have realised that this issue is not only with 'content' field, but with 
others
like 'title', 'menu'... (those filtered by stripslashes in edit.php, lines 
53-61)

(Though content and title fields may be the most important ones to be fixed.)

Original comment by carnav on 6 Jun 2010 at 6:21

GoogleCodeExporter commented 9 years ago 
I can think of another solution (would imply changes not only in edit.php but 
also in
theme_functions.php), based on what spilarix first suggested, but that way xml 
page
file format would not be backwards compatible (backslashes would not be escaped 
inside).

For now, I believe it's better to do the small fix I suggested (addslashes if
magic_quotes_gpc off) or something similar, but anyway if someone is interested 
I can
send it by email, PM or whatever.

Carlos

Original comment by carnav on 6 Jun 2010 at 6:28

GoogleCodeExporter commented 9 years ago 
Just a reminder: my suggested patch (comment 3) is:

/admin/changedata, line 97, replace by:

        if(isset($_POST['post-content'])) {
            if (get_magic_quotes_gpc()==0) {
                $content = addslashes(htmlentities($_POST['post-content'], ENT_QUOTES, 'UTF-8'));
            } else {
                $content = htmlentities($_POST['post-content'], ENT_QUOTES, 'UTF-8');
            }
        }

That would fix the backslash problem in the content (escapes all backslashes
submitted if magic_gpc_quotes disabled -PHP 5.3-, making it work like if this 
option
was enabled).

Same should be done to title (line 89), menu (line 94), and maybe to metak and 
metad.
(So perhaps you might prefer to create some new formatting function not to 
repeat all
these code.)

Original comment by carnav on 6 Jun 2010 at 8:02

GoogleCodeExporter commented 9 years ago 
theme-edit.php and components.php have the same problem (stripped off slashes 
if magic_quotes_gpc disabled)

Original comment by carnav on 7 Jun 2010 at 9:29

GoogleCodeExporter commented 9 years ago 
I've made the changes to components and changedata. Where on theme-edit.php 
should it be done?

Original comment by ccagle8 on 16 Oct 2010 at 1:43

GoogleCodeExporter commented 9 years ago 
theme-edit.php, line 48:

    $FileContents = stripslashes(htmlspecialchars_decode($_POST['content'], ENT_QUOTES));

(suggested) replace by:

    if (get_magic_quotes_gpc()==0) { 
        $FileContents = htmlspecialchars_decode($_POST['content'], ENT_QUOTES);
    } else {
        $FileContents = stripslashes(htmlspecialchars_decode($_POST['content'], ENT_QUOTES));
    }

Original comment by carnav on 16 Oct 2010 at 2:55

GoogleCodeExporter commented 9 years ago 
r201 took care of this. Thanks!

Original comment by ccagle8 on 18 Oct 2010 at 12:54

GoogleCodeExporter commented 9 years ago 
Got a question, this function uses this same type of cleaning... shouldnt this 
use the same gpc check?

function get_page_content() {
    global $content;
    exec_action('content-top');
    $content = stripslashes(htmlspecialchars_decode($content, ENT_QUOTES));
    $content = exec_filter('content',$content);
    echo $content;
    exec_action('content-bottom');
}

Original comment by ccagle8 on 23 Oct 2010 at 12:43

GoogleCodeExporter commented 9 years ago 
No, the gpc problem was only with GET/POST/Cookie variables, which are not used 
when displaying a page, but only when editing.

Original comment by carnav on 23 Oct 2010 at 7:31

GoogleCodeExporter commented 9 years ago 
ooohh, ok. so i guess we have all the instances of this being a problem... Im 
going to close this. thanks for all your help on this!

Original comment by ccagle8 on 23 Oct 2010 at 1:03