phpgroupware-developers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Phpgroupware-developers] Testing CK-Ledger v.0.7.1 against phpgroup


From: C K Wu
Subject: Re: [Phpgroupware-developers] Testing CK-Ledger v.0.7.1 against phpgroupware-0.9.16.RC1
Date: Wed, 17 Sep 2003 12:39:06 +0800 (CST)

Hello, Dave,

I think I've found what's going on.

With 0.9.14.006,

../phpgwapi/inc/class.sessions_php4.inc.php (line 951)
and ../phpgwapi/inc/class.sessions_db.inc.php (line
977) read,

$new_extravars .= "$key=$value" ;

With 0.9.16RC1,

../phpgwapi/inc/class.sessions.inc.php (line 1194)
reads,

$new_extravars .= $key.'='.urlencode($value) ;

So, apparently, with earlier versions, it is the
application script's responsibility to url_encode GET
variables before sending it on.  However, with
0.9.16RC1, the sessions facility handles the
url_encode-ing when it receives the GET variables from
the application script.

With CK-Ledger v.0.7.1 running against phpgw
0.9.16RC1, it means double url_encoding and therefore
the callee scripts need to url_decode the GET variable
one more time to recover the correct value.

I think this will break a lot of the addon module
codes.  However, if the GET variable passed contains
pure alphanumeric chars, no error will be detected,
since urlencode/urldecode in these cases do not alter
the GET variables.  So, there may be quite a fair bit
of  spurious 0.9.16RC1 errors being the result of the
above.

Cheers,
CK



Dave Hall:

>CK Wu <address@hidden> wrote:
>
>>Hello, folks,
>>
>>While testing CK-Ledger v.0.7.1 against
>>phpgroupware-0.9.16.RC1,
>>I came across the following,
>>
>>When calling,
>>
>>
>http://localhost/.../loglist.php?filter=%2BWHERE%2B1%253D1%2B&sessionid=...&kp3=...&domain=default&click_history=...
>
>Is this
>http://localhost/phpgroupware/loglist.php?filter=%2BWHERE%2B1%253D1%2B&;...
>
>or
>
>http://localhost/ck-ledger/loglist.php?filter=%2BWHERE%2B1%253D1%2B&;...
>
>Looking at that code ... there are several problems
....
>
>firstly the $_POST/$_GET hack won't work with
register_globals = off
>
>Also phpgroupware has never processed the external
variables, I think it
>is a PHP problem.  IIRC php will url_decode all $_GET
vars for you.
>
>Bit more info about where this code is will probably
help us track this
>down.
>
>Cheers
>
>Dave
>


_________________________________________________________
最新鈴聲推介:遇見,亂世佳人,假如愛有天意...
http://ringtone.yahoo.com.hk




reply via email to

[Prev in Thread] Current Thread [Next in Thread]