voided Posted December 18, 2003 Author Posted December 18, 2003 forgot to mention this: i only seem to get it in the admin section... nowhere else weird Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix
Harald Ponce de Leon Posted December 18, 2003 Posted December 18, 2003 I am using milestone 2. The contributions installed are header tags, paypalipn, allprods, echo. However I am not using paypalipn and echo. Do you think that since some contributions require a change in the html_output.php something else should be changed? Thank you for checking this out. I cannot reproduce the problem on MS1, MS2, nor on MS3-CVS, and will have to say that unless others confirm the problem, it is probably a contribution you have installed that needs to be updated. You might want to apply the redirection update - as one has only been provided for MS3-CVS, I will soon post solutions for MS1 and MS2. , osCommerce
Harald Ponce de Leon Posted December 18, 2003 Posted December 18, 2003 I didn't have the tep_output_string().. so i had to put it in... but the 2 other files session.php and session_compatible.php aren't compatible on this one. MS1 does not contain the tep_output_string() function which was introduced in MS2. For MS1 installations, htmlentities() can be used instead of tep_output_string(). However, and again, MS1 will remain in the risk zone as user input parsing was implemented in MS2. The session.php and session_compatible.php classes were recently introduced in CVS and will be appearing in MS3. The updates made to these classes to redirect the user when a malformed session ID is in use, will soon be posted for MS1 and MS2. , osCommerce
Harald Ponce de Leon Posted December 18, 2003 Posted December 18, 2003 forgot to mention this: i only seem to get it in the admin section... nowhere else The updates presented are only for the Catalog frontend - if you don't trust your administrators using the Administration Tool, you have other problems to worry about :ph34r: , osCommerce
Harald Ponce de Leon Posted December 18, 2003 Posted December 18, 2003 Here is the tep_session_start() function replacement for MS1 and MS2 installations, that will redirect the user to the index page when a malformed session ID is in use. The function is defined in includes/functions/sessions.php. From: function tep_session_start() { return session_start(); } To: function tep_session_start() { global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS; $sane_session_id = true; if (isset($HTTP_GET_VARS[tep_session_name()])) { if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_GET_VARS[tep_session_name()]) == false) { unset($HTTP_GET_VARS[tep_session_name()]); $sane_session_id = false; } } elseif (isset($HTTP_POST_VARS[tep_session_name()])) { if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_POST_VARS[tep_session_name()]) == false) { unset($HTTP_POST_VARS[tep_session_name()]); $sane_session_id = false; } } elseif (isset($HTTP_COOKIE_VARS[tep_session_name()])) { if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_COOKIE_VARS[tep_session_name()]) == false) { unset($HTTP_COOKIE_VARS[tep_session_name()]); $sane_session_id = false; } } if ($sane_session_id == false) { header('Location: ' . HTTP_SERVER . DIR_WS_CATALOG . FILENAME_DEFAULT); } else { session_start(); } } MS2 installations should replace the header() line above to use osCommerce functions: From: header('Location: ' . HTTP_SERVER . DIR_WS_CATALOG . FILENAME_DEFAULT); To: tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false)); MS1 could also use the tep_redirect() and tep_href_link() combination, however the files with these functions defined are included later in application_top.php and cannot be used earlier when the tep_session_start() function is called. , osCommerce
voided Posted December 18, 2003 Author Posted December 18, 2003 :wub: thats all i wanted to say Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix
Guest Posted December 22, 2003 Posted December 22, 2003 I seem to get the htmlspecialchars error when PWA 6d is installed, as I installed a fresh installation then put the PWA in. So, it crashes when payment is made, when no account is used, when an account is used and authorize.net is chosen, then goes to https://secure.authorize.net/gateway/transact.dll and drops back to the PWA screen of login, create account or continue purchasing without creating account if you want a test site where i have this, i can give it to you.
caconline Posted December 30, 2003 Posted December 30, 2003 I used the fix for MS2, and the "PHP Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 errors" stopped; however now it's: PHP Warning: session_register(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 Is it okay to leave this as is? Note: I haven't actually seen the session_start or session_register errors on my site, but they are logged in my CPanel error log. They worry me.
cgchris99 Posted December 30, 2003 Posted December 30, 2003 caconline, I see that same warning messages that you see. I am running MS1 and don't know whether to be worried or not. Not sure how to even fix the problem on MS1 Any other comments from the development team?
homewetbar Posted March 8, 2005 Posted March 8, 2005 So to clarify the fix for the most recent version of osCommerce 2.2 we should do both of the following fixes or am I confused? Here is the tep_session_start() function replacement for MS1 and MS2 installations, that will redirect the user to the index page when a malformed session ID is in use. The function is defined in includes/functions/sessions.php. From: function tep_session_start() { ?return session_start(); } To: function tep_session_start() { ?global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS; ?$sane_session_id = true; ?if (isset($HTTP_GET_VARS[tep_session_name()])) { ? ?if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_GET_VARS[tep_session_name()]) == false) { ? ? ?unset($HTTP_GET_VARS[tep_session_name()]); ? ? ?$sane_session_id = false; ? ?} ?} elseif (isset($HTTP_POST_VARS[tep_session_name()])) { ? ?if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_POST_VARS[tep_session_name()]) == false) { ? ? ?unset($HTTP_POST_VARS[tep_session_name()]); ? ? ?$sane_session_id = false; ? ?} ?} elseif (isset($HTTP_COOKIE_VARS[tep_session_name()])) { ? ?if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_COOKIE_VARS[tep_session_name()]) == false) { ? ? ?unset($HTTP_COOKIE_VARS[tep_session_name()]); ? ? ?$sane_session_id = false; ? ?} ?} ?if ($sane_session_id == false) { ? ?header('Location: ' . HTTP_SERVER . DIR_WS_CATALOG . FILENAME_DEFAULT); ?} else { ? ?session_start(); ?} } MS2 installations should replace the header() line above to use osCommerce functions: From: ? ?header('Location: ' . HTTP_SERVER . DIR_WS_CATALOG . FILENAME_DEFAULT); To: ? ?tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false)); MS1 could also use the tep_redirect() and tep_href_link() combination, however the files with these functions defined are included later in application_top.php and cannot be used earlier when the tep_session_start() function is called. <{POST_SNAPBACK}> AND To fix the issue, the $_sid parameter needs to be wrapped around tep_output_string() in the tep_href_link() function defined in includes/functions/html_output.php. Before: if (isset($_sid)) { $link .= $separator . $_sid; } After: if (isset($_sid)) { $link .= $separator . tep_output_string($_sid); } OR SHOULD MY html_output.php be the following: } elseif (isset($_sid)) { $link .= $separator . tep_output_string($_sid); $seo_link .= $separator . tep_output_string($_sid); $seo_rewrite_link .= $separator . tep_output_string($_sid); } Most Valuable OsCommerce Contributions: Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294 FedEx Automated Labels -- Contribution 2244 RMA Returns system -- Contribution 1136 Sort Products By Dropdown -- Contribution 4312 Ultimate SEO URLs -- Contribution 2823 Credit Class & Gift Voucher -- Contribution 282 Cross-Sell -- Contribution 5347
Recommended Posts
Archived
This topic is now archived and is closed to further replies.