[pmwiki-users] Fourth Post--ZAP bugs

[Crisses]

On Oct 26, 2006, at 5:23 PM, The Editor wrote:

> Hi List,
>
> I am about ready to pull my hair out.  This bug has got to be staring
> me in the face.
>
> When the post is submitted, the very first thing ZAP does after
> authenticating the form and setting a few variables, is clean the post
> from potentially harmful stuff.  I use these lines:
>
> 	foreach ($_POST as $field => $value) {
> 			if (get_magic_quotes_gpc()) $_POST[$field] = stripslashes($value);
> 			$_POST[$field] = preg_replace('/\\(:/', '(:', $value);
> 			$_POST[$field] = preg_replace('/\\{(\\w+)\\}/e', "\$_POST[$1]",  
> $value);
> 			if (is_array($value)) $_POST[$field] = implode(",", $value);
> 			}
>

Oh no!

you're changing $_POST[$field] several times and OVERWRITING it with  
something completely new.  This isn't a chain of events happening to  
$value.  This is "Place A in the bucket.  Dump the bucket out and  
place B in the bucket.  Dump the bucket out and place C in the bucket."

You see, when you read $value from $_POST $value becomes it's own  
copy.  Changing $_POST[$field] = "X"; will not change $value to "X".   
$value stays the same through the whole chain, because you're not  
explicitly changing $value.

Try this:
	foreach ($_POST as $field => $value) {
			if (get_magic_quotes_gpc()) $value = stripslashes($value);
			$value = preg_replace('/\\(:/', '(:', $value);
			$value = preg_replace('/\\{(\\w+)\\}/e', "\$_POST[$1]", $value);
			if (is_array($value)) $value = implode(",", $value);
			$_POST[$field] = $value;
			}
	}


I'm not exactly sure what line
			$value = preg_replace('/\\{(\\w+)\\}/e', "\$_POST[$1]", $value);
is doing with the "\$_POST[$1]" value -- you may want to change that  
too?  It's too early for me to really parse the code, sorry.  But  
it's one line I think you said worked....


Crisses
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-users/attachments/20061027/a783dcfc/attachment.html