The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
|
#1
04-29-2008, 06:11 AM
|
|||
|
|||
Why doesn't the GPC resolve "do" anymore for HTML form links in 3.7?
I tried asking this question in the 3.7 troubleshooting section and was shot down for asking a programming question. Is this a bug or is this a new design feature for 3.7?
We use "do" in links in HTML forms on our site. This used to be able to be pulled via the GPC class in 3.6.8 and prior, in 3.7 it does not work: Sample HTML: Code:
<?php
/*======================================================================*\
|| #################################################################### ||
|| #################################################################### ||
\*======================================================================*/
// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);
// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT', 'testsubmit');
// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array('fronthelp');
// get special data templates from the datastore
$specialtemplates = array();
// pre-cache templates used by all actions
$globaltemplates = array(
'test_template'
);
// pre-cache templates used by specific actions
$actiontemplates = array();
// ######################### REQUIRE BACK-END ############################
require_once('./global.php');
$vbulletin->input->clean_array_gpc('r', array(
'do' => TYPE_NOHTML,
'myaction' => TYPE_NOHTML
));
$ot_do=$vbulletin->GPC['do'];
$ot_myaction = $vbulletin->GPC['myaction'];
echo "Do: $ot_do<br>";
echo "Request Do: " . $_REQUEST['do'] . "<br>";
echo "MyAction: $ot_myaction";
eval('print_output("' . fetch_template('test_template') . '");');
?>
Code:
<form action="testsubmit.php?myaction=myactionval&do=testdoval" method="post"> <input maxlength=255 name=mytextval size=60> <input type="submit" class="button" name="sbutton" value="Send"/> </form> 
|
|
#2
04-29-2008, 06:39 AM
|
|||
|
|||
|
What release candidate are you running?
Also, what is the output of your echo statements? This could possible be the result of the CSRF protocol...
|
|
#3
04-29-2008, 06:53 AM
|
|||
|
|||
|
I'm running release candidate 4.
If I submit the form by clicking the button I get (click on picture to make them readable):  If I copy the link from the above submitted form into another IE window and just hit "go" I get:  That's why it appears to be just the "do" variable and only if that variable is passed via an html form. Scuzzy
|
|
#4
04-29-2008, 07:27 AM
|
|||
|
|||
|
Add this to the debug:
var_dump($vbulletin->GPC);
|
|
#5
04-29-2008, 08:00 AM
|
|||
|
|||
|
Submitted:
 Cutting and pasting link into another window and hitting "go":  "do" doesn't appear in the array in the submitted form, but "myaction" does... Scuzzy --------------- Added [DATE]1209461230[/DATE] at [TIME]1209461230[/TIME] --------------- I attempted to add the CSRF protection to this form to see if that was the problem. New code: Code:
<?php
/*======================================================================*\
|| #################################################################### ||
|| #################################################################### ||
\*======================================================================*/
// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);
// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT', 'testsubmit');
define('CSRF_PROTECTION', true);
// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array('fronthelp');
// get special data templates from the datastore
$specialtemplates = array();
// pre-cache templates used by all actions
$globaltemplates = array(
'test_template'
);
// pre-cache templates used by specific actions
$actiontemplates = array();
// ######################### REQUIRE BACK-END ############################
require_once('./global.php');
$vbulletin->input->clean_array_gpc('r', array(
'do' => TYPE_NOHTML,
'myaction' => TYPE_NOHTML
));
$ot_do=$vbulletin->GPC['do'];
$ot_myaction = $vbulletin->GPC['myaction'];
echo "Do: $ot_do<br>";
echo "Request Do: " . $_REQUEST['do'] . "<br>";
echo "MyAction: $ot_myaction";
echo "<br>**** GPC Var Dump ****<br>";
var_dump($vbulletin->GPC);
echo "<br>**********************<br>";
eval('print_output("' . fetch_template('test_template') . '");');
?>
New Template: Code:
<form action="testsubmit.php?myaction=myactionval&do=testdoval" method="post"> <input maxlength=255 name=mytextval size=60> <input type="submit" class="button" name="sbutton" value="Send"/> <input type="hidden" name="s" value="$session[sessionhash]" /> <input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" /> </form> Before submit:  After submit:  Scuzzy
|
|
#6
04-29-2008, 08:56 AM
|
|||
|
|||
|
PHP Code:
PHP Code:
|
|
#7
04-29-2008, 09:22 AM
|
|||
|
|||
|
Quote:
 I did try this, and get the same results:New Code: Code:
<?php
/*======================================================================*\
|| #################################################################### ||
|| #################################################################### ||
\*======================================================================*/
// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);
// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT', 'testsubmit');
define('CSRF_PROTECTION', true);
// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array('fronthelp');
// get special data templates from the datastore
$specialtemplates = array();
// pre-cache templates used by all actions
$globaltemplates = array(
'test_template'
);
// pre-cache templates used by specific actions
$actiontemplates = array();
// ######################### REQUIRE BACK-END ############################
require_once('./global.php');
$vbulletin->input->clean_array_gpc('r', array(
'do' => TYPE_NOHTML,
'myaction' => TYPE_NOHTML
));
$ot_do=$vbulletin->GPC['do'];
$ot_myaction = $vbulletin->GPC['myaction'];
$vbulletin->input->clean_array_gpc('p', array(
'do' => TYPE_NOHTML,
'myaction' => TYPE_NOHTML
));
$ot_do2=$vbulletin->GPC['do'];
$ot_myaction2 = $vbulletin->GPC['myaction'];
echo "Do From R: $ot_do<br>";
echo "MyAction From R: $ot_myaction<br>";
echo "Do From P: $ot_do2<br>";
echo "MyAction From P: $ot_myaction2<br>";
echo "Request Do: " . $_REQUEST['do'] . "<br>";
echo "<br>**** GPC Var Dump ****<br>";
var_dump($vbulletin->GPC);
echo "<br>**********************<br>";
eval('print_output("' . fetch_template('test_template') . '");');
?>
 After submit:  What seems really odd to me is that myaction shows up as a post variable.
|
|
#8
04-29-2008, 10:03 AM
|
|||
|
|||
|
I have discussed this issue with our developers and it seems that this might be due to a change made during the latest CSRF patch. We are now discussing how to prevent side effects like this.
Advice for now is to submit it as a hidden input variable and also send the sessionhash and securitytoken.
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 09:07 PM.