Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Question  (Read 5558 times)

0 Members and 1 Guest are viewing this topic.

cmfa

  • Contributor
  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 226
Question
« on: February 15, 2011, 01:17:41 pm »

Hi,

I would like to port just an another plugin from 1.4. The following is found here.

Code: [Select]
if (count($_POST) > 0)
What do here in
Code: [Select]
$superCage->post->   
or something else??

VG
CMFA

Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15760
Re: Question
« Reply #1 on: February 15, 2011, 02:51:25 pm »

It's not possible to translate that statement in the 'clean' way, but only in the way that circumvents Inspekt's security mechanisms. Try if it works when you replace
Code: [Select]
if (count($_POST) > 0)with
Code: [Select]
if (count($superCage->post->_source) > 0)

A much better way would be to check if a specific post value has been submitted.
Logged

Phill Luckhurst

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 4822
    • Windsurf.me
Re: Question
« Reply #2 on: February 15, 2011, 03:21:27 pm »

CMFA,

Could you use more meaningful titles for your threads. Simple titles like "Question" make it a lot harder for us. Thanks and keep up the good work.
Logged
It is a mistake to think you can solve any major problems just with potatoes.

cmfa

  • Contributor
  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 226
Re: Question
« Reply #3 on: February 15, 2011, 03:29:50 pm »

Hi,

I will make, excuse ;)

VG

CMFA
Logged

cmfa

  • Contributor
  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 226
Question for porting
« Reply #4 on: February 15, 2011, 05:30:11 pm »

Hi

Andre:
how it should look like then? An excerpt of the code at issue, see below.
It is plug-in "PMS" by Stramm
I miss somehow still in my gallery.

Code: [Select]
if (count($superCage->post->_source) > 0) {
    if (isset($_POST['update_config'])) {


        // Code to rename system thumbs in images folder
        $old_thumb_pfx =& $CONFIG['thumb_pfx'];

        foreach($lang_pms_admin_data as $element) {
            if ((is_array($element))) {
                if (!isset($_POST[$element[1]])) /*cpg_die(CRITICAL_ERROR, "Missing admin value for '{$element[1]}'", __FILE__, __LINE__);*/ continue;
                $value = addslashes($_POST[$element[1]]);
                if ($CONFIG[$element[1]] !== stripslashes($value))
                     {
                        cpg_db_query("UPDATE {$CONFIG['TABLE_CONFIG']} SET value = '$value' WHERE name = '{$element[1]}'");
                         if ($CONFIG['log_mode'] == CPG_LOG_ALL) {
                                log_write('CONFIG UPDATE SQL: '.
                                          "UPDATE {$CONFIG['TABLE_CONFIG']} SET value = '$value' WHERE name = '{$element[1]}'\n".
                                          'TIME: '.date("F j, Y, g:i a")."\n".
                                          'USER: '.$USER_DATA['user_name'],
                                          CPG_DATABASE_LOG
                                          );
                        }
                }
            }
        }
        pageheader($lang_admin_php['title']);
        msg_box($lang_admin_php['info'], $lang_admin_php['upd_success'], $lang_continue, 'index.php');

    }
    pagefooter();
    exit;
}
Any change I make breaks the subject, so that only see the debugger.

CMFA
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15760
Re: Question
« Reply #5 on: February 15, 2011, 06:15:35 pm »

Please always post the whole plugin as zip file if you have such specific questions. There are still some occurrences of $_POST that needs to be replaced.
Logged

cmfa

  • Contributor
  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 226
Re: Question
« Reply #6 on: February 15, 2011, 06:49:11 pm »

hi
Attached is the zip file, it is still rudimentary in the porting

CMFA
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15760
Re: Question
« Reply #7 on: February 15, 2011, 09:26:15 pm »

There are still some occurrences of $_POST that needs to be replaced.

I won't have a look at the plugin until I know what exactly doesn't work.
Logged

cmfa

  • Contributor
  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 226
Re: Question
« Reply #8 on: February 15, 2011, 09:39:10 pm »

Hi,
recorded in the above code, I have replaced $ _POST in eg $ super cage-> post-> and then save the changes when
the form is all gone (only debugger is there). here it seems to pinch something.

CMFA

Code: [Select]
if (count($superCage->post->_source) > 0) {
    if (isset($_POST['update_config'])) {


        // Code to rename system thumbs in images folder
        $old_thumb_pfx =& $CONFIG['thumb_pfx'];

        foreach($lang_pms_admin_data as $element) {
            if ((is_array($element))) {
                if (!isset($_POST[$element[1]])) /*cpg_die(CRITICAL_ERROR, "Missing admin value for '{$element[1]}'", __FILE__, __LINE__);*/ continue;
                $value = addslashes($_POST[$element[1]]);
                if ($CONFIG[$element[1]] !== stripslashes($value))
                     {
                        cpg_db_query("UPDATE {$CONFIG['TABLE_CONFIG']} SET value = '$value' WHERE name = '{$element[1]}'");
                         if ($CONFIG['log_mode'] == CPG_LOG_ALL) {
                                log_write('CONFIG UPDATE SQL: '.
                                          "UPDATE {$CONFIG['TABLE_CONFIG']} SET value = '$value' WHERE name = '{$element[1]}'\n".
                                          'TIME: '.date("F j, Y, g:i a")."\n".
                                          'USER: '.$USER_DATA['user_name'],
                                          CPG_DATABASE_LOG
                                          );
                        }
                }
            }
        }
        pageheader($lang_admin_php['title']);
        msg_box($lang_admin_php['info'], $lang_admin_php['upd_success'], $lang_continue, 'index.php');

    }
    pagefooter();
    exit;
}
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15760
Re: Question
« Reply #9 on: February 15, 2011, 09:54:59 pm »

I still don't know what happens when. Keep in mind that we (may) don't know the plugin you're trying to port. I personally never used that plugin, so I don't know what you can do. That's why I need a description how I can reproduce the error on my testbed.
Logged

cmfa

  • Contributor
  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 226
Re: Question
« Reply #10 on: February 16, 2011, 07:06:55 am »

   
Hi,.
in this piece of code I $_Post exchanged. Save the form read easily. Make changes in the form and gone on save. Then only the debugger was without any reference to the index page and on the subject.

I still don't know what here exactly
Code: [Select]
if (isset($_POST['update_config'])) { or here

 if (!isset($_POST[$element[1]])) or here

 $value = addslashes($_POST[$element[1]]);
must be exchanged.

like to use my test system where it is installed. I make you an admin access a.

CMFA
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15760
Re: Question
« Reply #11 on: February 16, 2011, 10:14:14 am »

Code: [Select]
isset($_POSTcan be replaced by
Code: [Select]
->post->keyExists
Code: [Select]
addslashes($_POSTcan be replaced by
Code: [Select]
->post->getEscaped
Logged

cmfa

  • Contributor
  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 226
Re: Question
« Reply #12 on: February 16, 2011, 04:54:49 pm »

Hi,
   
There is one small change lacked yet. Still _source had must install. The initial configuration can be changed using the form. However, this change via the called form can be undone. But the same code is called.

CMFA
Logged
Pages: [1]   Go Up
 

Page created in 0.036 seconds with 19 queries.