search

kaffa / textpattern

Automatically exported from code.google.com/p/textpattern
0 stars 0 forks source link

gps(), ps(), psa() and gpsa() fail on multidimensional POST/GET #176

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
HTTP POST/GET data handling functions gps(), ps(), psa(), psas(), stripPost() 
and gpsa() (etc) do not process multidimensional arrays (which is normal form 
data) correctly when magic_quotes_gpc is on.

These functions fail on message(s):

E_WARNING: stripslashes() expects parameter 1 to be string

And the returned GET/POST data is stripped from values.

This seems to be due to the doStrip() function, which doesn't process arrays 
recursively. Like deNull(), doStrip() and doStripTags() both (and possibly 
others) should do a recursion when needed.

Original issue reported on code.google.com by jukka.svahn@rahinaa.biz on 13 Apr 2012 at 12:20

GoogleCodeExporter commented 8 years ago 
I cannot find a single instance of a multidimensional array in any form 
throughout the whole source tree. 

What are you referring to?

Original comment by r.wetzlmayr on 14 Apr 2012 at 5:54

GoogleCodeExporter commented 8 years ago 
Yes, Textpattern doesn't use any multidimensional inputs in it's core forms. I 
didn't say otherwise.

What I'm referring are the functions itself. They do not support 
multidimensional GET/POST data when magic_quotes_gpc is, but expect strings.

The data doesn't get exported/sanitized from slashes, and causes unwanted 
warnings.

Original comment by jukka.svahn@rahinaa.biz on 14 Apr 2012 at 6:08

GoogleCodeExporter commented 8 years ago 
For example request a public page as http://example.com/?s[][]=default. You get 
warnings, and for instance feed_link tag will be linking to /rss/?section=Array.

Original comment by jukka.svahn@rahinaa.biz on 14 Apr 2012 at 6:23

GoogleCodeExporter commented 8 years ago 
I've attached a purposed patch.

As been mentioned, the issue in comes from doStrip() that doesn't process 
arrays recursively, which causes the HTTP POST/GET functions to perform 
incorrectly when magic_quotes_gpc is set on in php.ini. When the option is off, 
the function return arrays as expected, resulting inconsistency.

The fix is simply to do a recursion in doStrip() and doStripTag() when an array 
is encountered.

Without the patch requesting following:

GET name[][][][]=1

Prints out E_WARNING and an empty single level array is returned by 
gps('name'). When the patch is applied, gps('name') returns a multi-dimensional 
array as expected:

Array( [0] => Array ( [0] => Array ( [0] => Array ( [0] => 1 ) ) ) )

Original comment by jukka.svahn@rahinaa.biz on 15 Apr 2012 at 4:11

Attachments:

GoogleCodeExporter commented 8 years ago 
This issue was closed by revision r3864.

Original comment by r.wetzlmayr on 29 Jun 2012 at 5:33