mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-07-10 01:26:29 +02:00
Code Issues Releases Wiki Activity

Fixes faulty parsing of _GET when debug is activated. Pref editor will now use var_export on arrays when debug mode is active.

Browse Source
This commit is contained in:
Cameron
2021-02-06 12:48:19 -08:00
parent 10ca7acdd5
commit 0fd7ee6482
3 changed files with 58 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
e107_admin/db.php
View File

@ -1447,7 +1447,16 @@ class system_tools
foreach($spref as $key => $val) foreach($spref as $key => $val)
{ {
$ptext = (is_array($val)) ? "<pre>".htmlentities(print_r($val, TRUE))."</pre>" : htmlspecialchars($val, ENT_QUOTES, 'utf-8'); if(is_array($val))
{
$varView = deftrue('e_DEBUG') ? var_export($val, true): print_r($val, true);
$ptext = "<pre>".htmlentities($varView)."</pre>" ;
}
else
{
$ptext = htmlspecialchars($val, ENT_QUOTES, 'utf-8');
}
$ptext = $tp->textclean($ptext, 80); $ptext = $tp->textclean($ptext, 80);
$text .= " $text .= "

44
e107_handlers/e107_class.php
View File

@ -5150,13 +5150,13 @@ class e107
} }
// e_MENU fix // e_MENU fix
if(e_MENU) if(deftrue('e_MENU'))
{ {
$requestUri = str_replace('['.e_MENU.']', '', $requestUri); $requestUri = str_replace('['.e_MENU.']', '', $requestUri);
$requestUrl = str_replace('['.e_MENU.']', '', $requestUrl); $requestUrl = str_replace('['.e_MENU.']', '', $requestUrl);
if(defset('e_QUERY')) if(defset('e_QUERY'))
{ {
parse_str(e_QUERY, $_GET); parse_str(str_replace('&amp;', '&', e_QUERY), $_GET);
} }
} }
@ -5311,33 +5311,45 @@ class e107
} }
/** /**
* Set request related constants * Defines e_QUERY in a format that can be used in HTML and defines e_MENU
* @param boolean $no_cbrace remove curly brackets from the url * @param boolean $no_cbrace remove curly brackets from the url
* @return e107 * @return string parsed query string.
*/ */
public function set_request($no_cbrace = true) public function set_request($no_cbrace = true, $queryString =null)
{ {
if($queryString === null)
{
$queryString = $_SERVER['QUERY_STRING'] ;
}
$inArray = array("'", '/**/', '/UNION/', '/SELECT/', 'AS '); $inArray = array("'", '/**/', '/UNION/', '/SELECT/', 'AS ');
foreach($inArray as $res) foreach($inArray as $res)
{ {
if(stripos($_SERVER['QUERY_STRING'], $res) !== false) if(stripos($queryString, $res) !== false)
{ {
die('Access denied.'); die('Access denied.');
} }
} }
$eMENUQry = str_replace(array('%5B','%5D'),array('[',']'),$_SERVER['QUERY_STRING']); //FIX for urlencoded QUERY_STRING without breaking the '+' used by debug. $eMENUQry = str_replace(array('%5B','%5D'),array('[',']'), $queryString); //FIX for urlencoded QUERY_STRING without breaking the '+' used by debug.
if (strpos($eMENUQry, ']') && preg_match('#\[(.*?)](.*)#', $eMENUQry, $matches)) if (strpos($eMENUQry, ']') && preg_match('#\[(.*?)](.*)#', $eMENUQry, $matches))
{
if(!defined('e_MENU'))
{ {
define('e_MENU', $matches[1]); define('e_MENU', $matches[1]);
}
$e_QUERY = $matches[2]; $e_QUERY = $matches[2];
} }
else else
{
if(!defined('e_MENU'))
{ {
define('e_MENU', ''); define('e_MENU', '');
$e_QUERY = $_SERVER['QUERY_STRING']; }
$e_QUERY = $queryString;
} }
if ($no_cbrace) if ($no_cbrace)
@ -5345,21 +5357,27 @@ class e107
$e_QUERY = str_replace(array('{', '}', '%7B', '%7b', '%7D', '%7d'), '', rawurldecode($e_QUERY)); $e_QUERY = str_replace(array('{', '}', '%7B', '%7b', '%7D', '%7d'), '', rawurldecode($e_QUERY));
} }
// $e_QUERY = htmlentities(self::getParser()->post_toForm($e_QUERY)); //@see https://github.com/e107inc/e107/issues/719
$e_QUERY = htmlspecialchars(self::getParser()->post_toForm($e_QUERY)); $e_QUERY = htmlspecialchars(self::getParser()->post_toForm($e_QUERY));
// e_QUERY SHOULD NOT BE DEFINED IF IN SNIGLE ENTRY MODE OR ALL URLS WILL BE BROKEN - it's defined later within the the router // e_QUERY SHOULD NOT BE DEFINED IF IN SNIGLE ENTRY MODE OR ALL URLS WILL BE BROKEN - it's defined later within the the router
if(!deftrue("e_SINGLE_ENTRY")) if(!deftrue("e_SINGLE_ENTRY"))
{ {
define('e_QUERY', filter_var($e_QUERY, FILTER_SANITIZE_URL)); $e_QUERY = filter_var($e_QUERY, FILTER_SANITIZE_URL); //FIXME Breaks non-latin chars: @see https://github.com/e107inc/e107/issues/719
$_SERVER['QUERY_STRING'] = e_QUERY; if(!defined('e_QUERY'))
{
define('e_QUERY', $e_QUERY);
$_SERVER['QUERY_STRING'] = $e_QUERY;
}
} }
if(!defined('e_TBQS')) // for the unit tests.
{
define('e_TBQS', $_SERVER['QUERY_STRING']); define('e_TBQS', $_SERVER['QUERY_STRING']);
} }
return $e_QUERY;
}
/** /**
* Basic implementation of Browser cache control per user session. Awaiting improvement in future versions * Basic implementation of Browser cache control per user session. Awaiting improvement in future versions
* If no argument is passed it returns * If no argument is passed it returns

17
e107_tests/tests/unit/e107Test.php
View File

@ -1848,13 +1848,24 @@ class e107Test extends \Codeception\Test\Unit
$res = null; $res = null;
$this->assertTrue($res); $this->assertTrue($res);
} }
*/
public function testSet_request() public function testSet_request()
{ {
$res = null; $tests = array(
$this->assertTrue($res); 'mode=main&action=create' => 'mode=main&amp;action=create',
'[debug=counts!]mode=pref_editor&type=vstore' => 'mode=pref_editor&amp;type=vstore',
// 'searchquery=šýá&mode=main' => 'searchquery=šýá&amp;mode=main', //FIXME Fails.
);
foreach($tests as $input => $expected)
{
$result = $this->e107->set_request(true, $input);
$this->assertSame($expected, $result);
} }
}
/*
public function testCanCache() public function testCanCache()
{ {
$res = null; $res = null;