$silentproblems[] - A non-numeric value encountered

[q2apro]

Someone used a "punkspider" bot against my website. That triggered this error:

Error : A non-numeric value encountered

$silentproblems[] = 'timeout after ' . ($timenow - $timestamp) . 's';

In qa-include/app/users.php. https://github.com/q2a/question2answer/blob/dev/qa-include/app/users.php#L1357

User Agent: Punkspider/5.0 (opt-out to support@hyperiongray.com) IP: 3.23.208.80

How can "non-numeric value" happen at that line of code? – I guess it was an injection/hack attempt.

How to fix it?

[q2apro]

function qa_check_form_security_code($action, $value)
{
            //...
            $loggedin = $parts[0];
            $timestamp = $parts[1];
            $hash = $parts[2];

The evaluation of the incoming data is missing.

$parts[0] should be converted to (int). $parts[1] should be converted to (int). $parts[2] should be filtered to allow only alphanumeric (I guess).

Security issue

Example of security form code:

<input type="hidden" name="code" value="0-1625729207-7f37881b99028d6cc04d1aae90ae01976024c9b6">

[q2apro]

Can somebody confirm that those changes are correct and implement them in app/users.php?

Suggestion:

            $loggedin = (int)$parts[0];
            $timestamp = (int)$parts[1];
            $hash = $parts[2];
            $hash = preg_replace("/[^a-zA-Z0-9]+/", "", $hash);

[svivian]

Thanks for reporting! It's an edge case since someone needs to manually tamper with the CSRF code, but it's good to make sure variables are the correct types :)