Auto-logout in Admin - Problem with INPUT_SESSION

[ret2]

Hello,


I have installed S9Y 1.1 (full, installation "Expert") on PHP 5.1.6 (Mandriva 2007).

I try to admin my blog: /blog/serendipity_admin.php , succefull login, i have access to the main page of admin.
I press "Poster un billet' (Add one article) for example, serendipity location me to /blog/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new , i see the login form (Login: Password: ...)

Whoto debug serendipy to find the problem/bug ?

chmod -R 777 /blog/ don't change the problem.

I have create file : /blog/session.php (just var_dump($_SESSION)), result after login :


array(10) { ["serendipityAuthedUser"]=> bool(true) ["HTTP_REFERER"]=> bool(false) ["serendipityUser"]=> string(4) "root" ["serendipityRealname"]=> string(4) "blabla" ["serendipityPassword"]=> string(32) "63a9f0ea7bb98050796b649e85481845" ["serendipityEmail"]=> string(14) "root@root.root" ["serendipityAuthorid"]=> string(1) "1" ["serendipityUserlevel"]=> string(3) "255" ["serendipityRightPublish"]=> string(1) "1" }

(Login: root/root)

Same problem : http://board.s9y.org/viewtopic.php?t=8885
In Firefox cookie manager i have the cookie PHPSESSID, i have tested for localhost and 127.0.0.1.

Any ideas ?

Thank,


PS: The captcha of this phpbb is $*ùù!!

[ret2]

After long debug with var_dump() .. I have find the bug !

FIle: include/compat.inc.php

if (extension_loaded('filter') && function_exists('input_name_to_filter') && input_name_to_filter(ini_get('filter.default')) !== FILTER_UNSAFE_RAW) {
foreach ($_POST as $key => $value) {
$_POST[$key] = input_get(INPUT_POST, $key, FILTER_UNSAFE_RAW);
}
foreach ($_GET as $key => $value) {
$_GET[$key] = input_get(INPUT_GET, $key, FILTER_UNSAFE_RAW);
}
foreach ($_COOKIE as $key => $value) {
$_COOKIE[$key] = input_get(INPUT_COOKIE, $key, FILTER_UNSAFE_RAW);
}
/*
foreach ($_SESSION as $key => $value) {
$_SESSION[$key] = input_get(INPUT_SESSION, $key, FILTER_UNSAFE_RAW);
}
*/
}

To be continue ..

PHP/FIlter bug ? possible

[ret2]

The bug :



It's a solution : not possible ?

http://fr3.php.net/en/filter

INPUT_SESSION (integer)
SESSION variables. (not implemented yet)

http://cvs.php.net/viewvc.cgi/php-src/e ... iew=markup

Code: Select all

		case PARSE_SESSION:
			/* FIXME: Implement session source */
			php_error_docref(NULL TSRMLS_CC, E_WARNING, "INPUT_SESSION is not yet implemented");
			break;

input_get(INPUT_SESSION, $key, FILTER_UNSAFE_RAW)
return false


Remove all

Code: Select all

$_SESSION[$key] = input_get(INPUT_SESSION, $key, FILTER_UNSAFE_RAW);

It's not possible for the moment ?
$_SESSION[$key] = str_replace("\0", '', $value);

?

Garvin ?

[garvinhicking]

Hi!

Good debugging skills you have there!

As it seems, you are right, the "filter" extension seems to screw up the session data. How did you configure the filter.* settings in your php.ini / what are they set to in the phpinfo() output?

The code snippet should only take effekt if the filter.default setting is not "FILTER_UNSAFE_RAW".

Sadly I myself did not add this 'filter' compatibility, so I'd have to check with the original implementor to see what's happening.

Best regards,
Garvin

[ret2]

Hello,

Mandriva use lot a .ini (23-gd.ini ...) it's crazy !

var_dump(ini_get('filter.default')) => string(6) "string"
var_dump(ini_get('filter.default_flags')) = > bool(false)

In /etc/php.d/A46_filter.ini i have :

extension = filter.so

Any entrie in /etc/php.ini for "filter."

With phpinfo() :

Code: Select all

filter
Input Validation and Filtering 	enabled
Revision 	$Revision: 1.35 $

Directive	Local Value	Master Value
filter.default	string	string
filter.default_flags	no value	no value

For information :
I have downloaded this, with urpmi :
php-filter-0.9.4-5mdv2007.0

[root@localhost html]# php --re filter
Extension [ <persistent> extension #37 filter version 0.9.4 ] {

- INI {
Entry [ filter.default <ALL> ]
Current = 'string'
}
Entry [ filter.default_flags <ALL> ]
Current = ''
}
}

- Constants [46] {
Constant [ integer INPUT_POST ] { }
Constant [ integer INPUT_GET ] { }
Constant [ integer INPUT_COOKIE ] { }
Constant [ integer INPUT_ENV ] { }
Constant [ integer INPUT_SERVER ] { }
Constant [ integer INPUT_SESSION ] { } <-------- var_dump(INPUT_SESSION) = > int(6)
Constant [ integer FILTER_FLAG_NONE ] { }
Constant [ integer FILTER_VALIDATE_INT ] { }
Constant [ integer FILTER_VALIDATE_BOOLEAN ] { }
Constant [ integer FILTER_VALIDATE_FLOAT ] { }
Constant [ integer FILTER_VALIDATE_REGEXP ] { }
Constant [ integer FILTER_VALIDATE_URL ] { }
Constant [ integer FILTER_VALIDATE_EMAIL ] { }
Constant [ integer FILTER_VALIDATE_IP ] { }
Constant [ integer FILTER_DEFAULT ] { }
Constant [ integer FILTER_UNSAFE_RAW ] { }
Constant [ integer FILTER_SANITIZE_STRING ] { }
Constant [ integer FILTER_SANITIZE_STRIPPED ] { }
Constant [ integer FILTER_SANITIZE_ENCODED ] { }
Constant [ integer FILTER_SANITIZE_SPECIAL_CHARS ] { }
Constant [ integer FILTER_SANITIZE_EMAIL ] { }
Constant [ integer FILTER_SANITIZE_URL ] { }
Constant [ integer FILTER_SANITIZE_NUMBER_INT ] { }
Constant [ integer FILTER_SANITIZE_NUMBER_FLOAT ] { }
Constant [ integer FILTER_SANITIZE_MAGIC_QUOTES ] { }
Constant [ integer FILTER_CALLBACK ] { }
Constant [ integer FILTER_FLAG_ALLOW_OCTAL ] { }
Constant [ integer FILTER_FLAG_ALLOW_HEX ] { }
Constant [ integer FILTER_FLAG_STRIP_LOW ] { }
Constant [ integer FILTER_FLAG_STRIP_HIGH ] { }
Constant [ integer FILTER_FLAG_ENCODE_LOW ] { }
Constant [ integer FILTER_FLAG_ENCODE_HIGH ] { }
Constant [ integer FILTER_FLAG_ENCODE_AMP ] { }
Constant [ integer FILTER_FLAG_NO_ENCODE_QUOTES ] { }
Constant [ integer FILTER_FLAG_EMPTY_STRING_NULL ] { }
Constant [ integer FILTER_FLAG_ALLOW_FRACTION ] { }
Constant [ integer FILTER_FLAG_ALLOW_THOUSAND ] { }
Constant [ integer FILTER_FLAG_ALLOW_SCIENTIFIC ] { }
Constant [ integer FILTER_FLAG_SCHEME_REQUIRED ] { }
Constant [ integer FILTER_FLAG_HOST_REQUIRED ] { }
Constant [ integer FILTER_FLAG_PATH_REQUIRED ] { }
Constant [ integer FILTER_FLAG_QUERY_REQUIRED ] { }
Constant [ integer FILTER_FLAG_IPV4 ] { }
Constant [ integer FILTER_FLAG_IPV6 ] { }
Constant [ integer FILTER_FLAG_NO_RES_RANGE ] { }
Constant [ integer FILTER_FLAG_NO_PRIV_RANGE ] { }
}

- Functions {
Function [ <internal> public function input_get ] {
}
Function [ <internal> public function input_filters_list ] {
}
Function [ <internal> public function input_has_variable ] {
}
Function [ <internal> public function input_name_to_filter ] {
}
Function [ <internal> public function filter_data ] {
}
}
}

Just for comparaison :

With PHP 5.2.1 (WAMP) : WITH DEFAULT CONFIGURATION

Code: Select all

filter

Input Validation and Filtering 	enabled

Revision 	$Revision: 1.52.2.38 $



Directive	Local Value	Master Value

filter.default	unsafe_raw	unsafe_raw

filter.default_flags	no value	no value

Function input_get() don't exist, test with filter_input :

Warning: filter_input() [function.filter-input]: INPUT_SESSION is not yet implemented in C:\wamp\www\test.php on line 7

array(1) { ["foo"]=> NULL }

Extension [ <persistent> extension #6 filter version 0.11.0 ] {



- INI {

Entry [ filter.default <ALL> ]

Current = 'unsafe_raw'

}

Entry [ filter.default_flags <ALL> ]

Current = ''

}

}



- Constants [51] {

Constant [ integer INPUT_POST ] { 0 }

Constant [ integer INPUT_GET ] { 1 }

Constant [ integer INPUT_COOKIE ] { 2 }

Constant [ integer INPUT_ENV ] { 4 }

Constant [ integer INPUT_SERVER ] { 5 }

Constant [ integer INPUT_SESSION ] { 6 }

Constant [ integer INPUT_REQUEST ] { 99 }

Constant [ integer FILTER_FLAG_NONE ] { 0 }

Constant [ integer FILTER_REQUIRE_SCALAR ] { 33554432 }

Constant [ integer FILTER_REQUIRE_ARRAY ] { 16777216 }

Constant [ integer FILTER_FORCE_ARRAY ] { 67108864 }

Constant [ integer FILTER_NULL_ON_FAILURE ] { 134217728 }

Constant [ integer FILTER_VALIDATE_INT ] { 257 }

Constant [ integer FILTER_VALIDATE_BOOLEAN ] { 258 }

Constant [ integer FILTER_VALIDATE_FLOAT ] { 259 }

Constant [ integer FILTER_VALIDATE_REGEXP ] { 272 }

Constant [ integer FILTER_VALIDATE_URL ] { 273 }

Constant [ integer FILTER_VALIDATE_EMAIL ] { 274 }

Constant [ integer FILTER_VALIDATE_IP ] { 275 }

Constant [ integer FILTER_DEFAULT ] { 516 }

Constant [ integer FILTER_UNSAFE_RAW ] { 516 }

Constant [ integer FILTER_SANITIZE_STRING ] { 513 }

Constant [ integer FILTER_SANITIZE_STRIPPED ] { 513 }

Constant [ integer FILTER_SANITIZE_ENCODED ] { 514 }

Constant [ integer FILTER_SANITIZE_SPECIAL_CHARS ] { 515 }

Constant [ integer FILTER_SANITIZE_EMAIL ] { 517 }

Constant [ integer FILTER_SANITIZE_URL ] { 518 }

Constant [ integer FILTER_SANITIZE_NUMBER_INT ] { 519 }

Constant [ integer FILTER_SANITIZE_NUMBER_FLOAT ] { 520 }

Constant [ integer FILTER_SANITIZE_MAGIC_QUOTES ] { 521 }

Constant [ integer FILTER_CALLBACK ] { 1024 }

Constant [ integer FILTER_FLAG_ALLOW_OCTAL ] { 1 }

Constant [ integer FILTER_FLAG_ALLOW_HEX ] { 2 }

Constant [ integer FILTER_FLAG_STRIP_LOW ] { 4 }

Constant [ integer FILTER_FLAG_STRIP_HIGH ] { 8 }

Constant [ integer FILTER_FLAG_ENCODE_LOW ] { 16 }

Constant [ integer FILTER_FLAG_ENCODE_HIGH ] { 32 }

Constant [ integer FILTER_FLAG_ENCODE_AMP ] { 64 }

Constant [ integer FILTER_FLAG_NO_ENCODE_QUOTES ] { 128 }

Constant [ integer FILTER_FLAG_EMPTY_STRING_NULL ] { 256 }

Constant [ integer FILTER_FLAG_ALLOW_FRACTION ] { 4096 }

Constant [ integer FILTER_FLAG_ALLOW_THOUSAND ] { 8192 }

Constant [ integer FILTER_FLAG_ALLOW_SCIENTIFIC ] { 16384 }

Constant [ integer FILTER_FLAG_SCHEME_REQUIRED ] { 65536 }

Constant [ integer FILTER_FLAG_HOST_REQUIRED ] { 131072 }

Constant [ integer FILTER_FLAG_PATH_REQUIRED ] { 262144 }

Constant [ integer FILTER_FLAG_QUERY_REQUIRED ] { 524288 }

Constant [ integer FILTER_FLAG_IPV4 ] { 1048576 }

Constant [ integer FILTER_FLAG_IPV6 ] { 2097152 }

Constant [ integer FILTER_FLAG_NO_RES_RANGE ] { 4194304 }

Constant [ integer FILTER_FLAG_NO_PRIV_RANGE ] { 8388608 }

}



- Functions {

Function [ <internal> public function filter_input ] {

}

Function [ <internal> public function filter_var ] {

}

Function [ <internal> public function filter_input_array ] {

}

Function [ <internal> public function filter_var_array ] {

}

Function [ <internal> public function filter_list ] {

}

Function [ <internal> public function filter_has_var ] {

}

Function [ <internal> public function filter_id ] {

}

}

}

If you like more informations .. say me

Good day and good patch-ing

S9Y Is a perfect blog/cms engine !

[garvinhicking]

Hi!

Ah, okay. So it seems on your system a different default is used.

To me it seems the best solution would be to not use the SESSION routines for now, right?

I'm sorry for my lack of knowledge in this area, but I'm really happy you're here to work it out with us

Best regards,
Garvi

[ret2]

To me it seems the best solution would be to not use the SESSION routines for now, right?

Yes for the moment, if the PHP Team release new php version with support of INPUT_SESSION, just use: version_compare(), only for PHP5 (i not tested php6)

I'm sorry for my lack of knowledge in this area

I did not know either, for me the $_SESSION vars is secure, not need to filter.

I notice that s9y version 1.0 (June 15th, 2006) is affected by this bug, maybe before version is affected.
For user of Mandriva 2007 (for example) the actual version don't work correcty.

If I still find new bug I you informed.

[ret2]

Hello,

Partialy fixed, same problem with latest version.

Please comment this line : $_SESSION[$key] = input_get(INPUT_SESSION, $key, FILTER_UNSAFE_RAW);

$ diff compat.inc.php.orig compat.inc.php
117a118,120
>
> // NOT YET IMPLEMENTED IN PHP:
> /*
120a124
> */

[garvinhicking]

Hi!

Thanks for letting me know, committed to svn.

Regards,
Garvin