Why doesn't the GPC resolve "do" anymore for HTML form links in 3.7?

[Scuzzy]

I tried asking this question in the 3.7 troubleshooting section and was shot down for asking a programming question. Is this a bug or is this a new design feature for 3.7?

We use "do" in links in HTML forms on our site. This used to be able to be pulled via the GPC class in 3.6.8 and prior, in 3.7 it does not work:

Sample HTML:

Code:

<?php
/*======================================================================*\
|| #################################################################### ||
|| #################################################################### ||
\*======================================================================*/
// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);
// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT', 'testsubmit');
// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array('fronthelp');
// get special data templates from the datastore
$specialtemplates = array();
// pre-cache templates used by all actions
$globaltemplates = array(
 'test_template'
);
// pre-cache templates used by specific actions
$actiontemplates = array();
// ######################### REQUIRE BACK-END ############################
require_once('./global.php');
 
$vbulletin->input->clean_array_gpc('r', array(
 'do' => TYPE_NOHTML,
 'myaction' => TYPE_NOHTML
));
$ot_do=$vbulletin->GPC['do'];
$ot_myaction = $vbulletin->GPC['myaction'];
echo "Do: $ot_do<br>";
echo "Request Do: " . $_REQUEST['do'] . "<br>";
echo "MyAction: $ot_myaction";
eval('print_output("' . fetch_template('test_template') . '");');
?>

Sample Template:

Code:

<form action="testsubmit.php?myaction=myactionval&do=testdoval" method="post">
   <input maxlength=255 name=mytextval size=60>
   <input type="submit" class="button" name="sbutton" value="Send"/>
</form>

What release candidate are you running?

Also, what is the output of your echo statements? This could possible be the result of the CSRF protocol...

[Scuzzy]

I'm running release candidate 4.

If I submit the form by clicking the button I get (click on picture to make them readable):



If I copy the link from the above submitted form into another IE window and just hit "go" I get:



That's why it appears to be just the "do" variable and only if that variable is passed via an html form.

Scuzzy

Add this to the debug:

var_dump($vbulletin->GPC);

[Scuzzy]

Submitted:



Cutting and pasting link into another window and hitting "go":



"do" doesn't appear in the array in the submitted form, but "myaction" does...

Scuzzy

--------------- Added [DATE]1209461230[/DATE] at [TIME]1209461230[/TIME] ---------------

I attempted to add the CSRF protection to this form to see if that was the problem.

New code:

Code:

<?php
/*======================================================================*\
|| #################################################################### ||
|| #################################################################### ||
\*======================================================================*/

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT', 'testsubmit');
define('CSRF_PROTECTION', true);  

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array('fronthelp');

// get special data templates from the datastore
$specialtemplates = array();

// pre-cache templates used by all actions
$globaltemplates = array(
	'test_template'

);

// pre-cache templates used by specific actions
$actiontemplates = array();

// ######################### REQUIRE BACK-END ############################
require_once('./global.php');


$vbulletin->input->clean_array_gpc('r', array(
	'do' => TYPE_NOHTML,
	'myaction' => TYPE_NOHTML
));

$ot_do=$vbulletin->GPC['do'];
$ot_myaction = $vbulletin->GPC['myaction'];

echo "Do: $ot_do<br>";
echo "Request Do: " . $_REQUEST['do'] . "<br>";
echo "MyAction: $ot_myaction";

echo "<br>**** GPC Var Dump ****<br>";
var_dump($vbulletin->GPC);
echo "<br>**********************<br>";

eval('print_output("' . fetch_template('test_template') . '");');

?>

New Template:

Code:

<form action="testsubmit.php?myaction=myactionval&do=testdoval" method="post">
   <input maxlength=255 name=mytextval size=60>
   <input type="submit" class="button" name="sbutton" value="Send"/>
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
</form>

I logged into my forum, then ran this script.

Before submit:


After submit:



Scuzzy

[Marco van Herwaarden]

PHP Code:

$vbulletin->input->clean_array_gpc('r', array(
    'do' => TYPE_NOHTML,
    'myaction' => TYPE_NOHTML
)); 


If you submit it from a form, it is a POST variable, not a REQUEST, so try:

PHP Code:

$vbulletin->input->clean_array_gpc('p', array(
    'do' => TYPE_NOHTML,
    'myaction' => TYPE_NOHTML
)); 


[Scuzzy]

Quote:

Originally Posted by Marco van Herwaarden

PHP Code:

$vbulletin->input->clean_array_gpc('r', array(
    'do' => TYPE_NOHTML,
    'myaction' => TYPE_NOHTML
)); 


If you submit it from a form, it is a POST variable, not a REQUEST, so try:

PHP Code:

$vbulletin->input->clean_array_gpc('p', array(
    'do' => TYPE_NOHTML,
    'myaction' => TYPE_NOHTML
)); 


I didn't do this because it's really being passed as a post variable, because it's part of the link itself. However, I'm willing to try anything. I did try this, and get the same results:

New Code:

Code:

<?php
/*======================================================================*\
|| #################################################################### ||
|| #################################################################### ||
\*======================================================================*/

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT', 'testsubmit');
define('CSRF_PROTECTION', true);  

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array('fronthelp');

// get special data templates from the datastore
$specialtemplates = array();

// pre-cache templates used by all actions
$globaltemplates = array(
	'test_template'

);

// pre-cache templates used by specific actions
$actiontemplates = array();

// ######################### REQUIRE BACK-END ############################
require_once('./global.php');


$vbulletin->input->clean_array_gpc('r', array(
	'do' => TYPE_NOHTML,
	'myaction' => TYPE_NOHTML
));



$ot_do=$vbulletin->GPC['do'];
$ot_myaction = $vbulletin->GPC['myaction'];


$vbulletin->input->clean_array_gpc('p', array(
	'do' => TYPE_NOHTML,
	'myaction' => TYPE_NOHTML
));


$ot_do2=$vbulletin->GPC['do'];
$ot_myaction2 = $vbulletin->GPC['myaction'];


echo "Do From R: $ot_do<br>";
echo "MyAction From R: $ot_myaction<br>";
echo "Do From P: $ot_do2<br>";
echo "MyAction From P: $ot_myaction2<br>";

echo "Request Do: " . $_REQUEST['do'] . "<br>";

echo "<br>**** GPC Var Dump ****<br>";
var_dump($vbulletin->GPC);
echo "<br>**********************<br>";

eval('print_output("' . fetch_template('test_template') . '");');

?>

Before submit:


After submit:


What seems really odd to me is that myaction shows up as a post variable.

[Marco van Herwaarden]

I have discussed this issue with our developers and it seems that this might be due to a change made during the latest CSRF patch. We are now discussing how to prevent side effects like this.

Advice for now is to submit it as a hidden input variable and also send the sessionhash and securitytoken.