Jump to content



Photo
* * * * * 2 votes

Oscommerce Security - Osc_Sec.php


  • Please log in to reply
541 replies to this topic

#81   popsel

popsel
  • Members
  • 23 posts
  • Real Name:Hans Lang
  • Gender:Male
  • Location:Germany

Posted 22 May 2011 - 11:40

Nothing else filters the GET requests. The two other actions that happen are 1/ back in the osc.php the setlocale( LC_TIME, "en_NZ" ); is where setlocale determines the time, so unless that has been changed to the wrong settings it should not interfere with the output, and the other place is where $_REQUEST is reset as a merge of $_GET and $_POST vars. see: $_REQUEST = array_merge( $_GET, $_POST );

The difficulty I am having in trying to debug this is that it tests correct on my test system here. And by the looks of the output it is reporting correctly. The only other thing is the way the browser may be converting the output itself. What is the charset set to in the html head of your page, and what is the charset set to in your browser?

ps if you dont mind, can you PM me the url to your website so I can see it for myself?


Ok, the site is using

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html dir="LTR" lang="de">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">


and the browser is switching according to it (iso-8859-1).

Hmm...
I see this filtering is a problematic topic. I am just a PHP beginner but had this idea for a workaround:
What if we had a global flag for disable the filter once, until the string is sent.
At the place where a problematc string is send, just before set the filter disable flag, send the string and the
filter activates itself after sending one string.
Here is my proposal, you are welcome to make it better or safer /rolleyes.gif' class='bbc_emoticon' alt=':rolleyes:' />
/*
   Inside the problematic function, just before the string is send add:  
     $oscsec_filter_once_off=true; 
   This disables the filter once. After the string is sent the filter is automatic switched on again. 
*/

  /**
  * Clean up GET request vars
  * as well as multidimensional arrays
  */
  function scrubster( $nodes ) {
    global $oscsec_filter_once_off;  // Flag can be set in any function   
  
    if (!$oscsec_filter_once_off)    // If $oscsec_filter_once_off is set to TRUE skip filtering one time
    {
        /*    For testing only
        unlink("scrubster.txt");                  // Erase old logfile first
        $file = fopen("scrubster.txt", "a+");     // Open debug file
        fwrite($file, 'in ='.$nodes.chr(10));     // Write input to file
        */
    
         if ( is_array( $nodes ) ) {
              foreach( $nodes as $key=>$value ) {
                    if ( is_array( $value ) ) {
                          scrubster( $value );
                    } else {
                          $nodes = getCleaner( $nodes, TRUE );
                          $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
                          $nodes = getCleaner( $nodes, FALSE );
                    }
              }
         } else {
              $nodes = getCleaner( $nodes, TRUE );
              $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
              $nodes = getCleaner( $nodes, FALSE );
        }
        /*    For testing only
        fwrite($file, 'out='.$nodes.chr(10).chr(13));             // Write output to file and add new Line
        fclose($file);     // Close file
        */
     } 
     $oscsec_filter_once_off = False;   // Now automatic enable filtering again for security   
   return $nodes;
  }


Sorry, there is no web access to my store. I hope to be able to open it in august.
Best regards

Popsel

#82   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 22 May 2011 - 12:17

To give you some idea of the issue we are facing, have a look at my test site http://warbeast.netne.net/. On the top right where you log in I have displayed the same message we are testing with. This has been defined into the includes/language/english.php file and is displaying correctly in both IE and FF. This site is running the latest version of osC_Sec.php. Are those characters displaying correctly in your browser?

Here is what I am seeing...
[img]http://i53.tinypic.com/2po8nie.jpg[/img]

So I am not able to replicate the problem you are having on your site without seeing your site sorry.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#83   popsel

popsel
  • Members
  • 23 posts
  • Real Name:Hans Lang
  • Gender:Male
  • Location:Germany

Posted 22 May 2011 - 13:46

To give you some idea of the issue we are facing, have a look at my test site http://warbeast.netne.net/. On the top right where you log in I have displayed the same message we are testing with. This has been defined into the includes/language/english.php file and is displaying correctly in both IE and FF. This site is running the latest version of osC_Sec.php. Are those characters displaying correctly in your browser?

Here is what I am seeing...
[img]http://i53.tinypic.com/2po8nie.jpg[/img]

So I am not able to replicate the problem you are having on your site without seeing your site sorry.


OK, which data I should enter (coupon code) goods value, test customer data ?
Best regards

Popsel

#84   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 22 May 2011 - 21:20

I am not sure what you are asking. All I did was enter the German string you were testing, into one of the defined constants in my sites english.php file to see how it is displaying the umlauts. It is not an accurate test because I have not installed the addons you are using. The only other way I can test osC_Sec to try and replicate the conditions you are experiencing is to install all the addons you have installed. If I can replicate the results you are getting then I can find out what is causing the code to display incorrectly.

In the meantime if you have to, set $GETcleanup to 0 which will disable it.

By the way, which version of osCommerce are you using?
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#85   popsel

popsel
  • Members
  • 23 posts
  • Real Name:Hans Lang
  • Gender:Male
  • Location:Germany

Posted 22 May 2011 - 21:24

OK, which data I should enter (coupon code) goods value, test customer data ?


@Taipo

Dear Taipo,

I don`t know, why your code works on your site and doesn`t show the same result on my site.
I see this is a problematic situation for both of us -
if you can not reproduce the faulty displayed messages you can`t find a fix for it.
If I would have the same output like you, then I woudn`t have a reason to bother you.

Anyway, finally I found a workaround (tested with IE6, FF 4.01 and Chrome 11) to display
all the problematic messages in the right way here, too /rolleyes.gif' class='bbc_emoticon' alt=':rolleyes:' />

So again, thank you very much for support.
Best regards

Popsel

#86   popsel

popsel
  • Members
  • 23 posts
  • Real Name:Hans Lang
  • Gender:Male
  • Location:Germany

Posted 22 May 2011 - 21:33

I am not sure what you are asking. All I did was enter the German string you were testing...


Yes, this is not the same situation. I thought you have installed the same plugin, too. Then I would need to log in as a customer and need a valid coupon code for testing /rolleyes.gif' class='bbc_emoticon' alt=':rolleyes:' />

In the meantime if you have to, set $GETcleanup to 0 which will disable it.

With my workaround I can leave it at $GETcleanup=1 to keep it more secure.

By the way, which version of osCommerce are you using?


I am using OSC V2.2rc2a
Best regards

Popsel

#87   popsel

popsel
  • Members
  • 23 posts
  • Real Name:Hans Lang
  • Gender:Male
  • Location:Germany

Posted 22 May 2011 - 21:50

Yes, this is not the same situation. I thought you have installed the same plugin, too. Then I would need to log in as a customer and need a valid coupon code for testing /rolleyes.gif' class='bbc_emoticon' alt=':rolleyes:' />


With my workaround I can leave it at $GETcleanup=1 to keep it more secure.



I am using OSC V2.2rc2a


Finally I can show some pics how it looks with my workaround:

[IMG]http://i53.tinypic.com/16c6eys.jpg[/IMG]

[IMG]http://i53.tinypic.com/219qkra.jpg[/IMG]

Edited by popsel, 22 May 2011 - 21:53.

Best regards

Popsel

#88   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 23 May 2011 - 02:11

I would still like to get to the bottom of this if possible even just for my own reference. Can you give me a list of every addon you are using. I see you have listed Discount Coupon Codes V3.34 and Order Editor V5.09 so far. Once I have that list I can set up a test scenario here and activate the German language and try to replicate the issue you have brought up.

It seems that perhaps one of those addons is reacting to another section of osC_Sec.php other than the section we are working on. I would like to find out which part of that code that is causing the problem.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#89   popsel

popsel
  • Members
  • 23 posts
  • Real Name:Hans Lang
  • Gender:Male
  • Location:Germany

Posted 23 May 2011 - 05:38

I would still like to get to the bottom of this if possible even just for my own reference. Can you give me a list of every addon you are using. I see you have listed Discount Coupon Codes V3.34 and Order Editor V5.09 so far. Once I have that list I can set up a test scenario here and activate the German language and try to replicate the issue you have brought up.

It seems that perhaps one of those addons is reacting to another section of osC_Sec.php other than the section we are working on. I would like to find out which part of that code that is causing the problem.


Hi!

I have a heavy modified shop with tons of addons and some own things.
You will have a lot of fun /biggrin.gif' class='bbc_emoticon' alt=':D' /> :


Add 3 Images with Admin
Add Qty to listings (Mengeneingabebox)
Admin German 2.2MS2
Admin Reports Count Reset
über Skype anrufen
AGB Zustimmung
AJAX Attribute Manager ++
All In One FCK Editor WYSIWYG Editor
Anti Robot Validation
Artikelnummer automatisch hochzählen lassen
Auto Update Currencies V 1.0
Banner Manager für Rc2.2a
Banner Picture Hack in Banner Manager
Better SEO Images V1.1
Box Caching erweitern
Center Shop (Shopbreite begrenzen)
change date format
CK EDITOR nightly & Install Instructions +++
Counter Reset V1.0
Cronjob on Windows Xampp
CSS hover enlarged image popup MOD
CSS MENU OK
Cycling products +++
Database Optimizer V 1.0
Datenschutz Zustimmung in Popup
Datum auf DEUTSCH UMSTELLEN
Delete Category Images V 1.0
Discount Coupon Codes +++
Easy Tool Tip text balloon ++
EUR-Zeichen in QSCommerce
Extra pages-info box w admin
Falsche Rundung von osCommerce - gelöst! P
Faster Page Loads, Less DB queries
FCK Player Plugin & Free Video to Flash Converter
Flash Banners
Flash Videos in den Hintergrund bringen
Hermes Export
HTML Status Update Auto-emailer with product images and links +++
HTML-Befehle Übersicht
If price = 0.00 dont display price
Image Check
Image Hack Protection
Image Upload Resizer
Impressum
Länderliste DE oben
Leerzeichen bei Währung & Preis
Low Stock Report
Mp3_preview_with_Flash_player_v1.0
MWST und Versandkostenanzeige
Nachnamen bei den Bewertungen nicht mehr anzeigen
Order Editor 5.09b
OS COMMERCE How to install a contribution
Page Cache 1.6
Payment Type Charge
PaymethodsQuickinfobox
Preisauszeichnungsverordnung MWST und Versandkostenanzeige
Products thumbnail image display and popups on the admin
Punkt statt Komma am Num. Ziffernblock
Pure CSS Image Swap On Hover For osC Buttons
Rechnungslayout über Admin + Texteingabe in Rechnung
Report Missing & unassinged Images
Review Notification
Sales Report Between Two Dates
Scrolling Bestsellers
Send Admin HTML e-mails
SEO Assistant
SEO images v.0.99
Skype Contact
Store Mode (Open Closed Maintenance)
Vorschau bei neuem Produkt oder bei Update überspringen
Widerrufsbelehrung
XPricesPerProduct +++
X-Sell (Produktverlinkung NEUE VERSION)
Zones International Default Zonesworld Version_v2.zip
OSC_SEC(urity) latest version with fix
SiteMonitor


I don`t want to bother you again, but if you like to know about other problemns I had with OSC_SEC:

So far I had to find workarounds because these addons in combination with OSC_SEC did not work in my shop:
Rechnungslayout über Admin + Texteingabe in Rechnung
AJAX Attribute Manager
Best regards

Popsel

#90   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 23 May 2011 - 06:25

The problem with the AJAX Attrib Manager will probably also be linked to the $GETcleanup issue as well.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#91   popsel

popsel
  • Members
  • 23 posts
  • Real Name:Hans Lang
  • Gender:Male
  • Location:Germany

Posted 23 May 2011 - 08:23

I would still like to get to the bottom of this if possible even just for my own reference. Can you give me a list of every addon you are using. I see you have listed Discount Coupon Codes V3.34 and Order Editor V5.09 so far. Once I have that list I can set up a test scenario here and activate the German language and try to replicate the issue you have brought up.

It seems that perhaps one of those addons is reacting to another section of osC_Sec.php other than the section we are working on. I would like to find out which part of that code that is causing the problem.


Hi!

I see, even after a lot of posts, it may be still unclear for you, why it doesn`t work ?

Your code could not help me to fix this problem because, even after all these changes,
it filters uncoded umlaut characters (ä ü ....) and the € sign.

That is the reason why it did not work for me and I had to find a workaround.

If you still don`t have enough you may continue investigating it /wink.gif' class='bbc_emoticon' alt=';)' />
Best regards

Popsel

#92   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 23 May 2011 - 08:36

I did not realise it was affecting the uncoded umlauts. This may work better then:
  /**
  * Clean up GET request vars
  * as well as multidimensional arrays
  */
  function scrubster( $nodes ) {
     if ( is_array( $nodes ) ) {
	  foreach( $nodes as $key=>$value ) {
                if ( is_array( $value ) ) {
  		      scrubster( $value );
                } else {
                    $nodes = getCleaner( $nodes, TRUE );
                    $nodes = preg_replace("/[^ a-zA-Z0-9?,äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
                    $nodes = getCleaner( $nodes, FALSE );
                }
          }
     } else {
          $nodes = getCleaner( $nodes, TRUE );
          $nodes = preg_replace("/[^ a-zA-Z0-9?,äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
          $nodes = getCleaner( $nodes, FALSE );
    }
    return $nodes;
  }

  /**
  * Called above, this will clean up
  * values but not interfere with umlauts
  */
  function getCleaner($string, $conv=1) {
    $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
	          $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . 
	             $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
    $tolist = explode(",", "&auml;,&ouml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig;,&amp;auml;,&amp;auml;,&amp;uuml;,&amp;Auml;,&amp;Ouml;,&amp;Uuml;,&amp;euro;,&amp;szlig,ä,ö,ü,Ä,Ö,Ü,€,ß");
    $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig,axe,oxe,uxe,Axe,Oxe,Uxe,euxro,szlxig");
    $finlist = explode(",", "&auml;,&ouml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig;,&auml;,&ouml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig;,ä,ö,ü,Ä,Ö,Ü,€,ß");
    for($wr=0;$wr<=count($tolist);$wr++) {
       if ( $conv > 0 ) {
           $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
       } else {
	   $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
       }
    }
    return $string;
}

As you saw in your debug print out that you did, the cleaner actually did not affect the encoded umlauts, yet they were still displaying incorrectly afterward.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#93   popsel

popsel
  • Members
  • 23 posts
  • Real Name:Hans Lang
  • Gender:Male
  • Location:Germany

Posted 23 May 2011 - 09:32

I did not realise it was affecting the uncoded umlauts. This may work better then:

  /**
  * Clean up GET request vars
  * as well as multidimensional arrays
  */
  function scrubster( $nodes ) {
 	if ( is_array( $nodes ) ) {
  	foreach( $nodes as $key=>$value ) {
                if ( is_array( $value ) ) {
  	      	scrubster( $value );
                } else {
                    $nodes = getCleaner( $nodes, TRUE );
                    $nodes = preg_replace("/[^ a-zA-Z0-9?,äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
                    $nodes = getCleaner( $nodes, FALSE );
                }
          }
 	} else {
          $nodes = getCleaner( $nodes, TRUE );
          $nodes = preg_replace("/[^ a-zA-Z0-9?,äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
          $nodes = getCleaner( $nodes, FALSE );
    }
    return $nodes;
  }

  /**
  * Called above, this will clean up
  * values but not interfere with umlauts
  */
  function getCleaner($string, $conv=1) {
    $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
          	$_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . 
                 $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
    $tolist = explode(",", "&auml;,&ouml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig;,&amp;auml;,&amp;auml;,&amp;uuml;,&amp;Auml;,&amp;Ouml;,&amp;Uuml;,&amp;euro;,&amp;szlig,ä,ö,ü,Ä,Ö,Ü,€,ß");
    $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig,axe,oxe,uxe,Axe,Oxe,Uxe,euxro,szlxig");
    $finlist = explode(",", "&auml;,&ouml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig;,&auml;,&ouml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig;,ä,ö,ü,Ä,Ö,Ü,€,ß");
    for($wr=0;$wr<=count($tolist);$wr++) {
   	if ( $conv > 0 ) {
       	$string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
   	} else {
       $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
   	}
    }
    return $string;
}

As you saw in your debug print out that you did, the cleaner actually did not affect the encoded umlauts, yet they were still displaying incorrectly afterward.


Hi!

I did a quick test, and the uncoded umlauts are still gone after passing OSC_SEC.
You can test it yourself with a logging function like I did.
Feed OSC_SEC with some uncoced umlaut strings and look into the debug file output what is left over - very simple method.
If there are missing umlaut or € sign chars then something is wrong.
That is the reason why it works for me if filtering is disabled / OSC_SEC is bypassed.

For now I have to continue developing my store - there is still a lot of work to do.
So I have no more time for tests with this topic.
Actually my workaround is working for me, so I will stick to it.

If you can find a way to fix the problem, it would be great if you could include this in the next official OSC_SEC update.


Cheers!
Best regards

Popsel

#94   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 23 May 2011 - 10:21

Unfortunately we are constantly getting two different sets of results from the same piece of script. There must be other variables involved that are outside of what osC_Sec does as my testing has no problems in displaying the uncoded ulmauts, so I am unable to assist any more with this sorry. However I think as it stands, the code above does improve the way osC_Sec filters the ulmauts so I will leave it in the next version when it is released. Sorry I could not be of more assistance to you.

Edited by Taipo, 23 May 2011 - 10:32.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#95   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 23 May 2011 - 11:00

For Reference this is a test.
Settings:
- Character encoding in your browser set to Western(ISO-8859-1)
- in includes/language/yourlanguage.php set define('CHARSET', 'iso-8859-1');

In application_top.php, after
require('includes/osc_sec.php');

paste this code:
echo scrubster( "&auml;,&ouml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig;,&amp;auml;,&amp;auml;,&amp;uuml;,&amp;Auml;,&amp;Ouml;,&amp;Uuml;,&amp;euro;,&amp;szlig,ä,ö,ü,Ä,Ö,Ü,€,ß [w](o)%3Cr%3Ek|i*n^g" );

You should see the resulting text when you load your site.

ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ä,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß working


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#96   rdva

rdva
  • Members
  • 23 posts
  • Real Name:rdva
  • Gender:Male
  • Location:Saint-Petersburg, Russia

Posted 23 May 2011 - 13:36

Taipo, i have similar to popsel's problem with russian language. Function scrubster() filters out all non-latin symbols. All russian symbols is non-latin. The workaround (for me) is:

find
preg_replace("/[^ a-zA-Z0-9?=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
replace with
preg_replace("/[^ a-zA-Zа-яА-Я0-9?=@%:{}\/_.-]/i", "", urldecode( $nodes ) );

Can u see the difference? Is your browser correctly display cyrilic symbols?

#97   popsel

popsel
  • Members
  • 23 posts
  • Real Name:Hans Lang
  • Gender:Male
  • Location:Germany

Posted 23 May 2011 - 14:53

For Reference this is a test.
Settings:
- Character encoding in your browser set to Western(ISO-8859-1)
- in includes/language/yourlanguage.php set define('CHARSET', 'iso-8859-1');

In application_top.php, after

require('includes/osc_sec.php');

paste this code:
echo scrubster( "ä,ö,ü,Ä,Ö,Ü,€,ß,&auml;,&auml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig,ä,ö,ü,Ä,Ö,Ü,€,ß [w](o)%3Cr%3Ek|i*n^g" );

You should see the resulting text when you load your site.



Taipo, I get this with your test (CHARSET', 'iso-8859-1') in languages/german.php and same setting in FF:
[img]http://i52.tinypic.com/1pcu2s.png[/img]

with this code in scrubster:
     	if ( is_array( $nodes ) ) {
          	foreach( $nodes as $key=>$value ) {
                	if ( is_array( $value ) ) {
                      	scrubster( $value );
                	} else {
                      	$nodes = getCleaner( $nodes, TRUE );
                      	$nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); 
                      	$nodes = getCleaner( $nodes, FALSE );
                	}
          	}
     	} else {
          	$nodes = getCleaner( $nodes, TRUE );
          	$nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
          	$nodes = getCleaner( $nodes, FALSE );
    	}

and this code in getCleaner:
  /**
  * Called above, this will clean up
  * values but not interfere with umlauts
  */   
  function getCleaner($string, $conv=1) {
	$x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
              	$_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . 
                 	$_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
	$tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,&auml;,&auml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig,ä,ö,ü,Ä,Ö,Ü,€,ß");
	$fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig,axe,oxe,uxe,Axe,Oxe,Uxe,euxro,szlxig");
	$finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß");
	for($wr=0;$wr<=count($tolist);$wr++) {
   	if ( $conv > 0 ) {
       	$string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
   	} else {
       	$string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
   	}
	}
	return $string;
}


Edited by popsel, 23 May 2011 - 15:01.

Best regards

Popsel

#98   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 23 May 2011 - 23:31

I have changed the cleanup syntax below. This may render some more of the non-english char items than the previous one. Using the perl compatible regular expressions will hopefully allow the browser character settings to make a better determination of what is displayed and what isn't. However this may not work on some locale settings.

/**
  * Clean up GET request vars
  * as well as multidimensional arrays
  */
  function scrubster( $nodes ) {
     if ( is_array( $nodes ) ) {
	  foreach( $nodes as $key=>$value ) {
                if ( is_array( $value ) ) {
  		      scrubster( $value );
                } else {
                      $nodes = getCleaner( $nodes, TRUE );
                      $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
                      $nodes = getCleaner( $nodes, FALSE );
                }
          }
     } else {
          $nodes = getCleaner( $nodes, TRUE );
          $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
          $nodes = getCleaner( $nodes, FALSE );
    }
    return $nodes;
  }

  /**
  * Called above, this will clean up
  * values but not interfere with umlauts
  */
  function getCleaner($string, $conv=1) {
    $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
	          $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
    $tolist = explode(",", "&auml;,&ouml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig;,&amp;auml;,&amp;ouml;,&amp;uuml;,&amp;Auml;,&amp;Ouml;,&amp;Uuml;,&amp;euro;,&amp;szlig");
    $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig");
    $finlist = explode(",", "&auml;,&ouml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig;,&auml;,&ouml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig;");
    for($wr=0;$wr<=count($tolist);$wr++) {
       if ( $conv > 0 ) {
           $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
       } else {
	   $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
       }
    }
    return $string;
}

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#99   popsel

popsel
  • Members
  • 23 posts
  • Real Name:Hans Lang
  • Gender:Male
  • Location:Germany

Posted 24 May 2011 - 07:27

I have changed the cleanup syntax below. This may render some more of the non-english char items than the previous one. Using the perl compatible regular expressions will hopefully allow the browser character settings to make a better determination of what is displayed and what isn't. However this may not work on some locale settings.

/**
  * Clean up GET request vars
  * as well as multidimensional arrays
  */
  function scrubster( $nodes ) {
 	if ( is_array( $nodes ) ) {
  	foreach( $nodes as $key=>$value ) {
                if ( is_array( $value ) ) {
        		scrubster( $value );
                } else {
                      $nodes = getCleaner( $nodes, TRUE );
                      $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
                      $nodes = getCleaner( $nodes, FALSE );
                }
          }
 	} else {
          $nodes = getCleaner( $nodes, TRUE );
          $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
          $nodes = getCleaner( $nodes, FALSE );
    }
    return $nodes;
  }

  /**
  * Called above, this will clean up
  * values but not interfere with umlauts
  */
  function getCleaner($string, $conv=1) {
    $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
          	$_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
    $tolist = explode(",", "&auml;,&ouml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig;,&amp;auml;,&amp;ouml;,&amp;uuml;,&amp;Auml;,&amp;Ouml;,&amp;Uuml;,&amp;euro;,&amp;szlig");
    $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig");
    $finlist = explode(",", "&auml;,&ouml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig;,&auml;,&ouml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig;");
    for($wr=0;$wr<=count($tolist);$wr++) {
   	if ( $conv > 0 ) {
   		$string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
   	} else {
   	$string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
   	}
    }
    return $string;
}


Hi!

Using the code above I get now in FF:
ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ä,ü,Ä,Ö,Ü,€,ß,Ã,Ã,Ã,Ã,Ã,Ãœ,€,ß working

and under real conditions FF outputs:
Der Mindestbestellwert für diesen Gutschein beträgt 10,00 und wurde noch nicht erreicht

This is looking good, but where is the sign ?

For your information:
The biggest problem with osc_sec for me was the fact, it filtered umlauts in Order Editor.
After changing an address with unlauts and a page reload the umlauts were gone.
This was a really heavy limitation and making Order Editor close to useless.
After your very first code change I could work with Order Editor and umlauts /rolleyes.gif' class='bbc_emoticon' alt=':rolleyes:' />
Displaying an error message with wrong chars, which only some people may see,
is not that much important. So I was happy at the end to find a workaround for that.


Actually the situation changed:

The error messages display nearly perfect (beside the € sign),
but in Order Editior I have the same problem again:
All umlauts are removed aftter changing it and a page reload [img]http://forums.oscommerce.com/public/style_emoticons/default/crying.gif[/img]
Best regards

Popsel

#100   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 24 May 2011 - 08:19

I think the problem again is that for some reason some of these addons are calling constant defined variables via HTTP_GET_VARS instead of just calling the defined item directly.

However, these are some of the issues we have to face when working around each others addons.

Try this one out then. It is a bit of the old (as in a bit of the original fix) and a bit of the new.

Replace the entire piece above with this. It should at a guess, cause the order editor to work better.

  /**
  * Clean up GET request vars
  * as well as multidimensional arrays
  */
  function scrubster( $nodes ) {
     if ( is_array( $nodes ) ) {
	  foreach( $nodes as $key=>$value ) {
                if ( is_array( $value ) ) {
  		      scrubster( $value );
                } else {
                      $nodes = preg_replace('/[^\w\s?,äöüÄÖÜ€ß=@%:{}\/.-]/i', '', urldecode( $nodes ) );
                }
          }
     } else {
          $nodes = preg_replace('/[^\w\s?,äöüÄÖÜ€ß=@%:{}\/.-]/i', '', urldecode( $nodes ) );
    }
    return $nodes;
  }

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW