♥FWR Media Posted March 4, 2008 Author Share Posted March 4, 2008 Tougher security.php A new catalog/includes/functions/security.php has been added to contributions. The changes are minimal but it makes a big difference. Changes: % character removed $get_var is urldecoded before the preg_replace strips bad characters. No changes are required of the contribution just directly replace catalog/includes/functions/security.php Please note: Unlike other contributions, this one will break more things the better it gets. Odd sounding I know but it is the case. Now that this is urldecoding and is missing the % character a lot more scripts, payment modules etc will fail .. this is a GOOD thing. By all means exclude your broken payment module from cleansing by security Pro .. however, I wouldn't advise doing the same for a less important contribution .. why not see where it's stopped by this script and change it so that it doesn't use bad characters in the querystring. Most important: Test fully your important systems after adding this . .especially payment/shipping etc. As usual I need feedback. Thanks to perfectpassion for continuing to help me test this alongside his PROTX payment module (which I use myself by the way). Please try to think along the following lines:- If Security Pro breaks a feature/function 1) Try to remove the need for the feature to use bad characters (Stay here as long as you can) 2) Exclude the file from cleansing only if you really have to. (Should be critical operations only like payment where you have no control over the incoming querystring) 3) NEVER alter the preg_replace or other functions in security.php unless improving it (making it tougher). Note: With this contribution the usual "Yaaay I got it to work by removing XXX from security.php" = you broke your security! Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.