Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

Taipo

Oscommerce Security - Osc_Sec.php

599 posts in this topic

Try this. Replace this part of the code above:

 /** 
 * Called above, this will clean up 
 * values but not interfere with umlauts 
 */ 
 function getCleaner($string, $conv=1) { 
   $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] .  
        $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] .  
        $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] ); 
   $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,ß,€"); 
   $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,szlig,euro"); 
   for($wr=0;$wr<=count($tolist);$wr++) { 
      if ( $conv > 0 ) { 
          $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string); 
      } else { 
          $string = str_replace($x.$fromlist[$wr], $tolist[$wr], $string); 
      } 
   } 
   return $string; 
}

 

With the following:

 /**
 * Called above, this will clean up
 * values but not interfere with umlauts
 */
 function getCleaner($string, $conv=1) {
   $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
          $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . 
             $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
   $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,ß,€,&auml;,&auml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig");
   $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,szlig,euro,ae,oe,ue,Ae,Oe,Ue,euro,szlig");
   $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,ß,€,ä,ö,ü,Ä,Ö,Ü,€,ß");
   for($wr=0;$wr<=count($tolist);$wr++) {
      if ( $conv > 0 ) {
          $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
      } else {
   $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
      }
   }
   return $string;
}

 

This probably could be written in simpler terms, but in the end, its the result that matters.

Share this post


Link to post
Share on other sites

Try this. Replace this part of the code above:

 /** 
 * Called above, this will clean up 
 * values but not interfere with umlauts 
 */ 
 function getCleaner($string, $conv=1) { 
   $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] .  
        $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] .  
        $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] ); 
   $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,ß,€"); 
   $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,szlig,euro"); 
   for($wr=0;$wr<=count($tolist);$wr++) { 
      if ( $conv > 0 ) { 
          $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string); 
      } else { 
          $string = str_replace($x.$fromlist[$wr], $tolist[$wr], $string); 
      } 
   } 
   return $string; 
}

 

With the following:

 /**
 * Called above, this will clean up
 * values but not interfere with umlauts
 */
 function getCleaner($string, $conv=1) {
   $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
          $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . 
             $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
   $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,ß,€,&auml;,&auml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig");
   $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,szlig,euro,ae,oe,ue,Ae,Oe,Ue,euro,szlig");
   $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,ß,€,ä,ö,ü,Ä,Ö,Ü,€,ß");
   for($wr=0;$wr<=count($tolist);$wr++) {
      if ( $conv > 0 ) {
          $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
      } else {
   $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
      }
   }
   return $string;
}

 

This probably could be written in simpler terms, but in the end, its the result that matters.

 

Hi!

 

I checked with the same conditions, but the result did not change :huh:

 

Frontend output is this:

Der Mindestbestellwert für diesen Gutschein beträgt 10,00 und wurde noch nicht erreicht.

 

Firebug analysis is showing that Firefox is getting this string:

<td class="headerError">Der Mindestbestellwert f&uuml;r diesen Gutschein betr&auml;gt 10,00 und wurde noch nicht erreicht.</td>

 

That`s why Firefox does not display umlauts. The generated code f&uuml;r provides a display of für instead of the desired output: für

 

So I was trying to find out the conditions to get the desired output.

 

If $nonGETPOSTReqs = 1 and umlauts are not coded like ü but normal written as ü

define('ENTRY_DISCOUNT_COUPON_MIN_PRICE_ERROR', 'Der Mindestbestellwert für diesen Gutschein beträgt %s und wurde noch nicht erreicht');

and this line is disabled for testing

 /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
    if ( is_array( $nodes ) ) {
         foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
                     scrubster( $value );
               } else {
                    $nodes = getCleaner( $nodes );
               }
         }
    } else {
         $nodes = getCleaner( $nodes, TRUE );   
         // Next line disabled for testing:
        // $nodes = preg_replace("/[^ a-zA-Z0-9?,ßäöüÄÖÜ€=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
         $nodes = getCleaner( $nodes, FALSE );
   }
   return $nodes;
 }

 

then I receive this (perfect) frontend output:

Der Mindestbestellwert für diesen Gutschein beträgt 10,00 € und wurde noch nicht erreicht.

 

Looking into the code using Firebug shows this:

<td class="headerError">Der Mindestbestellwert für diesen Gutschein beträgt 10,00 € und wurde noch nicht erreicht.</td>

 

From this view I think there are 2 problems:

1. The filter function (scrubster) sometimes still filters standard written umlauts (ö ä ü Ö Ä Ü €)

To show that, enabling the above disabled line, in function scrubster shows this result:

Frontend ouput:

Der Mindestbestellwert fr diesen Gutschein betrgt 10,00 und wurde noch nicht erreicht.

Firebug analysis:

<td class="headerError">Der Mindestbestellwert fr diesen Gutschein betrgt 10,00 und wurde noch nicht erreicht.</td>

 

2. If umlauts are html coded in the message string, they are not bypassed correctly. So the browser shows the code for umlauts but not the umlauts special character itself.

 

Hopefully this research can help you to fix this problem.

 

Thanks again for your patience.

Share this post


Link to post
Share on other sites

Ok that does help a bit.

 

Try this for size:

 /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
    if ( is_array( $nodes ) ) {
  foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
 		      scrubster( $value );
               } else {
                     $nodes = getCleaner( $nodes, TRUE );
                     $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
                     $nodes = getCleaner( $nodes, FALSE );
               }
         }
    } else {
         $nodes = getCleaner( $nodes, TRUE );
         $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
         $nodes = getCleaner( $nodes, FALSE );
   }
   return $nodes;
 }

 /**
 * Called above, this will clean up
 * values but not interfere with umlauts
 */
 function getCleaner($string, $conv=1) {
   $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
          $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . 
             $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
   $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,&auml;,&auml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig,ä,ö,ü,Ä,Ö,Ü,€,ß");
   $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig,axe,oxe,uxe,Axe,Oxe,Uxe,euxro,szlxig");
   $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß");
   for($wr=0;$wr<=count($tolist);$wr++) {
      if ( $conv > 0 ) {
          $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
      } else {
   $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
      }
   }
   return $string;
}

 

Hopefully this might work. It should work where umlauts are html coded and are in actual form. Where it probably will not work is where you want to display the html encoded umlaut. But that would be rare in osCommerce one would think.

Share this post


Link to post
Share on other sites

Ok that does help a bit.

 

Try this for size:

 /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
    if ( is_array( $nodes ) ) {
  foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
 		      scrubster( $value );
               } else {
                     $nodes = getCleaner( $nodes, TRUE );
                     $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
                     $nodes = getCleaner( $nodes, FALSE );
               }
         }
    } else {
         $nodes = getCleaner( $nodes, TRUE );
         $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
         $nodes = getCleaner( $nodes, FALSE );
   }
   return $nodes;
 }

 /**
 * Called above, this will clean up
 * values but not interfere with umlauts
 */
 function getCleaner($string, $conv=1) {
   $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
          $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . 
             $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
   $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,&auml;,&auml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig,ä,ö,ü,Ä,Ö,Ü,€,ß");
   $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig,axe,oxe,uxe,Axe,Oxe,Uxe,euxro,szlxig");
   $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß");
   for($wr=0;$wr<=count($tolist);$wr++) {
      if ( $conv > 0 ) {
          $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
      } else {
   $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
      }
   }
   return $string;
}

 

Hopefully this might work. It should work where umlauts are html coded and are in actual form. Where it probably will not work is where you want to display the html encoded umlaut. But that would be rare in osCommerce one would think.

 

Ok, we have to see where the problem occurs. It still doesn't provide the right output.

With actual version I have:

 

Frontend showing:

Der Mindestbestellwert für diesen Gutschein beträgt 10,00 und wurde noch nicht erreicht.

 

Firebug showing:

<td class="headerError">Der Mindestbestellwert f&uuml;r diesen Gutschein betr&auml;gt 10,00 und wurde noch nicht erreicht.</td>

 

I added a logfile to see whats going in and out of function scrubster

 /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
   unlink("scrubster.txt");                  // Erase old logfile first
   $file = fopen("scrubster.txt", "a+");     // Open debug file
   fwrite($file, 'in ='.$nodes.chr(10));     // Write input to file

    if ( is_array( $nodes ) ) {
         foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
                     scrubster( $value );
               } else {
                     $nodes = getCleaner( $nodes, TRUE );
                     $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
                     $nodes = getCleaner( $nodes, FALSE );
               }
         }
    } else {
         $nodes = getCleaner( $nodes, TRUE );
         $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
         $nodes = getCleaner( $nodes, FALSE );
   }

   fwrite($file, 'out='.$nodes.chr(10).chr(13));             // Write output to file and add new Line
   fclose($file);     // Close file

   return $nodes;
 }

 

This is the result:

in =Der Mindestbestellwert für diesen Gutschein beträgt  10,00 € und wurde noch nicht erreicht.
out=Der Mindestbestellwert für diesen Gutschein beträgt  10,00  und wurde noch nicht erreicht.

 

So we see that nothing beside the € sign is changed. The changes must appear elsewhere.

(If I do the same test with normal umlauts they are filtered in the output.)

 

Is there any further prcosessing of these strings inside OSC_SEC beside the function scrubster ?

Share this post


Link to post
Share on other sites

Nothing else filters the GET requests. The two other actions that happen are 1/ back in the osc.php the setlocale( LC_TIME, "en_NZ" ); is where setlocale determines the time, so unless that has been changed to the wrong settings it should not interfere with the output, and the other place is where $_REQUEST is reset as a merge of $_GET and $_POST vars. see: $_REQUEST = array_merge( $_GET, $_POST );

 

The difficulty I am having in trying to debug this is that it tests correct on my test system here. And by the looks of the output it is reporting correctly. The only other thing is the way the browser may be converting the output itself. What is the charset set to in the html head of your page, the DOCTYPE and what is the charset set to in your browser?

 

ps if you dont mind, can you PM me the url to your website so I can see it for myself?

Share this post


Link to post
Share on other sites

Nothing else filters the GET requests. The two other actions that happen are 1/ back in the osc.php the setlocale( LC_TIME, "en_NZ" ); is where setlocale determines the time, so unless that has been changed to the wrong settings it should not interfere with the output, and the other place is where $_REQUEST is reset as a merge of $_GET and $_POST vars. see: $_REQUEST = array_merge( $_GET, $_POST );

 

The difficulty I am having in trying to debug this is that it tests correct on my test system here. And by the looks of the output it is reporting correctly. The only other thing is the way the browser may be converting the output itself. What is the charset set to in the html head of your page, and what is the charset set to in your browser?

 

ps if you dont mind, can you PM me the url to your website so I can see it for myself?

 

Ok, the site is using

 

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">

<html dir="LTR" lang="de">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

 

and the browser is switching according to it (iso-8859-1).

 

Hmm...

I see this filtering is a problematic topic. I am just a PHP beginner but had this idea for a workaround:

What if we had a global flag for disable the filter once, until the string is sent.

At the place where a problematc string is send, just before set the filter disable flag, send the string and the

filter activates itself after sending one string.

Here is my proposal, you are welcome to make it better or safer :rolleyes:

/*
  Inside the problematic function, just before the string is send add:  
    $oscsec_filter_once_off=true; 
  This disables the filter once. After the string is sent the filter is automatic switched on again. 
*/

 /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
   global $oscsec_filter_once_off;  // Flag can be set in any function   

   if (!$oscsec_filter_once_off)    // If $oscsec_filter_once_off is set to TRUE skip filtering one time
   {
       /*    For testing only
       unlink("scrubster.txt");                  // Erase old logfile first
       $file = fopen("scrubster.txt", "a+");     // Open debug file
       fwrite($file, 'in ='.$nodes.chr(10));     // Write input to file
       */

        if ( is_array( $nodes ) ) {
             foreach( $nodes as $key=>$value ) {
                   if ( is_array( $value ) ) {
                         scrubster( $value );
                   } else {
                         $nodes = getCleaner( $nodes, TRUE );
                         $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
                         $nodes = getCleaner( $nodes, FALSE );
                   }
             }
        } else {
             $nodes = getCleaner( $nodes, TRUE );
             $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
             $nodes = getCleaner( $nodes, FALSE );
       }
       /*    For testing only
       fwrite($file, 'out='.$nodes.chr(10).chr(13));             // Write output to file and add new Line
       fclose($file);     // Close file
       */
    } 
    $oscsec_filter_once_off = False;   // Now automatic enable filtering again for security   
  return $nodes;
 }

 

Sorry, there is no web access to my store. I hope to be able to open it in august.

Share this post


Link to post
Share on other sites

To give you some idea of the issue we are facing, have a look at my test site http://warbeast.netne.net/. On the top right where you log in I have displayed the same message we are testing with. This has been defined into the includes/language/english.php file and is displaying correctly in both IE and FF. This site is running the latest version of osC_Sec.php. Are those characters displaying correctly in your browser?

 

Here is what I am seeing...

2po8nie.jpg

 

So I am not able to replicate the problem you are having on your site without seeing your site sorry.

Share this post


Link to post
Share on other sites

To give you some idea of the issue we are facing, have a look at my test site http://warbeast.netne.net/. On the top right where you log in I have displayed the same message we are testing with. This has been defined into the includes/language/english.php file and is displaying correctly in both IE and FF. This site is running the latest version of osC_Sec.php. Are those characters displaying correctly in your browser?

 

Here is what I am seeing...

2po8nie.jpg

 

So I am not able to replicate the problem you are having on your site without seeing your site sorry.

 

OK, which data I should enter (coupon code) goods value, test customer data ?

Share this post


Link to post
Share on other sites

I am not sure what you are asking. All I did was enter the German string you were testing, into one of the defined constants in my sites english.php file to see how it is displaying the umlauts. It is not an accurate test because I have not installed the addons you are using. The only other way I can test osC_Sec to try and replicate the conditions you are experiencing is to install all the addons you have installed. If I can replicate the results you are getting then I can find out what is causing the code to display incorrectly.

 

In the meantime if you have to, set $GETcleanup to 0 which will disable it.

 

By the way, which version of osCommerce are you using?

Share this post


Link to post
Share on other sites

OK, which data I should enter (coupon code) goods value, test customer data ?

 

@Taipo

 

Dear Taipo,

 

I don`t know, why your code works on your site and doesn`t show the same result on my site.

I see this is a problematic situation for both of us -

if you can not reproduce the faulty displayed messages you can`t find a fix for it.

If I would have the same output like you, then I woudn`t have a reason to bother you.

 

Anyway, finally I found a workaround (tested with IE6, FF 4.01 and Chrome 11) to display

all the problematic messages in the right way here, too :rolleyes:

 

So again, thank you very much for support.

Share this post


Link to post
Share on other sites

I am not sure what you are asking. All I did was enter the German string you were testing...

 

Yes, this is not the same situation. I thought you have installed the same plugin, too. Then I would need to log in as a customer and need a valid coupon code for testing :rolleyes:

 

In the meantime if you have to, set $GETcleanup to 0 which will disable it.

With my workaround I can leave it at $GETcleanup=1 to keep it more secure.

 

By the way, which version of osCommerce are you using?

 

I am using OSC V2.2rc2a

Share this post


Link to post
Share on other sites

Yes, this is not the same situation. I thought you have installed the same plugin, too. Then I would need to log in as a customer and need a valid coupon code for testing :rolleyes:

 

 

With my workaround I can leave it at $GETcleanup=1 to keep it more secure.

 

 

 

I am using OSC V2.2rc2a

 

Finally I can show some pics how it looks with my workaround:

 

16c6eys.jpg

 

219qkra.jpg

Share this post


Link to post
Share on other sites

I would still like to get to the bottom of this if possible even just for my own reference. Can you give me a list of every addon you are using. I see you have listed Discount Coupon Codes V3.34 and Order Editor V5.09 so far. Once I have that list I can set up a test scenario here and activate the German language and try to replicate the issue you have brought up.

 

It seems that perhaps one of those addons is reacting to another section of osC_Sec.php other than the section we are working on. I would like to find out which part of that code that is causing the problem.

Share this post


Link to post
Share on other sites

I would still like to get to the bottom of this if possible even just for my own reference. Can you give me a list of every addon you are using. I see you have listed Discount Coupon Codes V3.34 and Order Editor V5.09 so far. Once I have that list I can set up a test scenario here and activate the German language and try to replicate the issue you have brought up.

 

It seems that perhaps one of those addons is reacting to another section of osC_Sec.php other than the section we are working on. I would like to find out which part of that code that is causing the problem.

 

Hi!

 

I have a heavy modified shop with tons of addons and some own things.

You will have a lot of fun :D :

 

 

Add 3 Images with Admin

Add Qty to listings (Mengeneingabebox)

Admin German 2.2MS2

Admin Reports Count Reset

über Skype anrufen

AGB Zustimmung

AJAX Attribute Manager ++

All In One FCK Editor WYSIWYG Editor

Anti Robot Validation

Artikelnummer automatisch hochzählen lassen

Auto Update Currencies V 1.0

Banner Manager für Rc2.2a

Banner Picture Hack in Banner Manager

Better SEO Images V1.1

Box Caching erweitern

Center Shop (Shopbreite begrenzen)

change date format

CK EDITOR nightly & Install Instructions +++

Counter Reset V1.0

Cronjob on Windows Xampp

CSS hover enlarged image popup MOD

CSS MENU OK

Cycling products +++

Database Optimizer V 1.0

Datenschutz Zustimmung in Popup

Datum auf DEUTSCH UMSTELLEN

Delete Category Images V 1.0

Discount Coupon Codes +++

Easy Tool Tip text balloon ++

EUR-Zeichen in QSCommerce

Extra pages-info box w admin

Falsche Rundung von osCommerce - gelöst! P

Faster Page Loads, Less DB queries

FCK Player Plugin & Free Video to Flash Converter

Flash Banners

Flash Videos in den Hintergrund bringen

Hermes Export

HTML Status Update Auto-emailer with product images and links +++

HTML-Befehle Übersicht

If price = 0.00 dont display price

Image Check

Image Hack Protection

Image Upload Resizer

Impressum

Länderliste DE oben

Leerzeichen bei Währung & Preis

Low Stock Report

Mp3_preview_with_Flash_player_v1.0

MWST und Versandkostenanzeige

Nachnamen bei den Bewertungen nicht mehr anzeigen

Order Editor 5.09b

OS COMMERCE How to install a contribution

Page Cache 1.6

Payment Type Charge

PaymethodsQuickinfobox

Preisauszeichnungsverordnung MWST und Versandkostenanzeige

Products thumbnail image display and popups on the admin

Punkt statt Komma am Num. Ziffernblock

Pure CSS Image Swap On Hover For osC Buttons

Rechnungslayout über Admin + Texteingabe in Rechnung

Report Missing & unassinged Images

Review Notification

Sales Report Between Two Dates

Scrolling Bestsellers

Send Admin HTML e-mails

SEO Assistant

SEO images v.0.99

Skype Contact

Store Mode (Open Closed Maintenance)

Vorschau bei neuem Produkt oder bei Update überspringen

Widerrufsbelehrung

XPricesPerProduct +++

X-Sell (Produktverlinkung NEUE VERSION)

Zones International Default Zonesworld Version_v2.zip

OSC_SEC(urity) latest version with fix

SiteMonitor

 

I don`t want to bother you again, but if you like to know about other problemns I had with OSC_SEC:

 

So far I had to find workarounds because these addons in combination with OSC_SEC did not work in my shop:

Rechnungslayout über Admin + Texteingabe in Rechnung

AJAX Attribute Manager

Share this post


Link to post
Share on other sites

The problem with the AJAX Attrib Manager will probably also be linked to the $GETcleanup issue as well.

Share this post


Link to post
Share on other sites

I would still like to get to the bottom of this if possible even just for my own reference. Can you give me a list of every addon you are using. I see you have listed Discount Coupon Codes V3.34 and Order Editor V5.09 so far. Once I have that list I can set up a test scenario here and activate the German language and try to replicate the issue you have brought up.

 

It seems that perhaps one of those addons is reacting to another section of osC_Sec.php other than the section we are working on. I would like to find out which part of that code that is causing the problem.

 

Hi!

 

I see, even after a lot of posts, it may be still unclear for you, why it doesn`t work ?

 

Your code could not help me to fix this problem because, even after all these changes,

it filters uncoded umlaut characters (ä ü ....) and the € sign.

 

That is the reason why it did not work for me and I had to find a workaround.

 

If you still don`t have enough you may continue investigating it ;)

Share this post


Link to post
Share on other sites

I did not realise it was affecting the uncoded umlauts. This may work better then:

 /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
    if ( is_array( $nodes ) ) {
  foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
 		      scrubster( $value );
               } else {
                   $nodes = getCleaner( $nodes, TRUE );
                   $nodes = preg_replace("/[^ a-zA-Z0-9?,äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
                   $nodes = getCleaner( $nodes, FALSE );
               }
         }
    } else {
         $nodes = getCleaner( $nodes, TRUE );
         $nodes = preg_replace("/[^ a-zA-Z0-9?,äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
         $nodes = getCleaner( $nodes, FALSE );
   }
   return $nodes;
 }

 /**
 * Called above, this will clean up
 * values but not interfere with umlauts
 */
 function getCleaner($string, $conv=1) {
   $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
          $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . 
             $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
   $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,&auml;,&auml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig,ä,ö,ü,Ä,Ö,Ü,€,ß");
   $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig,axe,oxe,uxe,Axe,Oxe,Uxe,euxro,szlxig");
   $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß");
   for($wr=0;$wr<=count($tolist);$wr++) {
      if ( $conv > 0 ) {
          $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
      } else {
   $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
      }
   }
   return $string;
}

 

As you saw in your debug print out that you did, the cleaner actually did not affect the encoded umlauts, yet they were still displaying incorrectly afterward.

Share this post


Link to post
Share on other sites

I did not realise it was affecting the uncoded umlauts. This may work better then:

 /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
	if ( is_array( $nodes ) ) {
 	foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
 	      	scrubster( $value );
               } else {
                   $nodes = getCleaner( $nodes, TRUE );
                   $nodes = preg_replace("/[^ a-zA-Z0-9?,äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
                   $nodes = getCleaner( $nodes, FALSE );
               }
         }
	} else {
         $nodes = getCleaner( $nodes, TRUE );
         $nodes = preg_replace("/[^ a-zA-Z0-9?,äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
         $nodes = getCleaner( $nodes, FALSE );
   }
   return $nodes;
 }

 /**
 * Called above, this will clean up
 * values but not interfere with umlauts
 */
 function getCleaner($string, $conv=1) {
   $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
         	$_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . 
                $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
   $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,&auml;,&auml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig,ä,ö,ü,Ä,Ö,Ü,€,ß");
   $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig,axe,oxe,uxe,Axe,Oxe,Uxe,euxro,szlxig");
   $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß");
   for($wr=0;$wr<=count($tolist);$wr++) {
  	if ( $conv > 0 ) {
      	$string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
  	} else {
      $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
  	}
   }
   return $string;
}

 

As you saw in your debug print out that you did, the cleaner actually did not affect the encoded umlauts, yet they were still displaying incorrectly afterward.

 

Hi!

 

I did a quick test, and the uncoded umlauts are still gone after passing OSC_SEC.

You can test it yourself with a logging function like I did.

Feed OSC_SEC with some uncoced umlaut strings and look into the debug file output what is left over - very simple method.

If there are missing umlaut or € sign chars then something is wrong.

That is the reason why it works for me if filtering is disabled / OSC_SEC is bypassed.

 

For now I have to continue developing my store - there is still a lot of work to do.

So I have no more time for tests with this topic.

Actually my workaround is working for me, so I will stick to it.

 

If you can find a way to fix the problem, it would be great if you could include this in the next official OSC_SEC update.

 

 

Cheers!

Share this post


Link to post
Share on other sites

Unfortunately we are constantly getting two different sets of results from the same piece of script. There must be other variables involved that are outside of what osC_Sec does as my testing has no problems in displaying the uncoded ulmauts, so I am unable to assist any more with this sorry. However I think as it stands, the code above does improve the way osC_Sec filters the ulmauts so I will leave it in the next version when it is released. Sorry I could not be of more assistance to you.

Share this post


Link to post
Share on other sites

For Reference this is a test.

Settings:

- Character encoding in your browser set to Western(ISO-8859-1)

- in includes/language/yourlanguage.php set define('CHARSET', 'iso-8859-1');

 

In application_top.php, after

  require('includes/osc_sec.php'); 

 

paste this code:

echo scrubster( "ä,ö,ü,Ä,Ö,Ü,€,ß,&auml;,&auml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig,ä,ö,ü,Ä,Ö,Ü,€,ß [w](o)%3Cr%3Ek|i*n^g" );

 

You should see the resulting text when you load your site.

 

ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ä,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß working

Share this post


Link to post
Share on other sites

Taipo, i have similar to popsel's problem with russian language. Function scrubster() filters out all non-latin symbols. All russian symbols is non-latin. The workaround (for me) is:

 

find

preg_replace("/[^ a-zA-Z0-9?=@%:{}\/_.-]/i", "", urldecode( $nodes ) );

replace with

preg_replace("/[^ a-zA-Zа-яА-Я0-9?=@%:{}\/_.-]/i", "", urldecode( $nodes ) );

 

Can u see the difference? Is your browser correctly display cyrilic symbols?

Share this post


Link to post
Share on other sites

For Reference this is a test.

Settings:

- Character encoding in your browser set to Western(ISO-8859-1)

- in includes/language/yourlanguage.php set define('CHARSET', 'iso-8859-1');

 

In application_top.php, after

  require('includes/osc_sec.php'); 

 

paste this code:

echo scrubster( "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ä,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß [w](o)%3Cr%3Ek|i*n^g" );

 

You should see the resulting text when you load your site.

 

 

 

Taipo, I get this with your test (CHARSET', 'iso-8859-1') in languages/german.php and same setting in FF:

1pcu2s.png

 

with this code in scrubster:

    	if ( is_array( $nodes ) ) {
         	foreach( $nodes as $key=>$value ) {
               	if ( is_array( $value ) ) {
                     	scrubster( $value );
               	} else {
                     	$nodes = getCleaner( $nodes, TRUE );
                     	$nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); 
                     	$nodes = getCleaner( $nodes, FALSE );
               	}
         	}
    	} else {
         	$nodes = getCleaner( $nodes, TRUE );
         	$nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
         	$nodes = getCleaner( $nodes, FALSE );
   	}

 

and this code in getCleaner:

 /**
 * Called above, this will clean up
 * values but not interfere with umlauts
 */   
 function getCleaner($string, $conv=1) {
$x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
             	$_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . 
                	$_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
$tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ä,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß");
$fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig,axe,oxe,uxe,Axe,Oxe,Uxe,euxro,szlxig");
$finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß");
for($wr=0;$wr<=count($tolist);$wr++) {
  	if ( $conv > 0 ) {
      	$string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
  	} else {
      	$string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
  	}
}
return $string;
}

Share this post


Link to post
Share on other sites

I have changed the cleanup syntax below. This may render some more of the non-english char items than the previous one. Using the perl compatible regular expressions will hopefully allow the browser character settings to make a better determination of what is displayed and what isn't. However this may not work on some locale settings.

 

  /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
    if ( is_array( $nodes ) ) {
  foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
 		      scrubster( $value );
               } else {
                     $nodes = getCleaner( $nodes, TRUE );
                     $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
                     $nodes = getCleaner( $nodes, FALSE );
               }
         }
    } else {
         $nodes = getCleaner( $nodes, TRUE );
         $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
         $nodes = getCleaner( $nodes, FALSE );
   }
   return $nodes;
 }

 /**
 * Called above, this will clean up
 * values but not interfere with umlauts
 */
 function getCleaner($string, $conv=1) {
   $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
          $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
   $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,&auml;,&ouml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig");
   $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig");
   $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß");
   for($wr=0;$wr<=count($tolist);$wr++) {
      if ( $conv > 0 ) {
          $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
      } else {
   $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
      }
   }
   return $string;
}

Share this post


Link to post
Share on other sites

I have changed the cleanup syntax below. This may render some more of the non-english char items than the previous one. Using the perl compatible regular expressions will hopefully allow the browser character settings to make a better determination of what is displayed and what isn't. However this may not work on some locale settings.

 

  /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
	if ( is_array( $nodes ) ) {
 	foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
       		scrubster( $value );
               } else {
                     $nodes = getCleaner( $nodes, TRUE );
                     $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
                     $nodes = getCleaner( $nodes, FALSE );
               }
         }
	} else {
         $nodes = getCleaner( $nodes, TRUE );
         $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
         $nodes = getCleaner( $nodes, FALSE );
   }
   return $nodes;
 }

 /**
 * Called above, this will clean up
 * values but not interfere with umlauts
 */
 function getCleaner($string, $conv=1) {
   $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
         	$_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
   $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,&auml;,&ouml;,&uuml;,&Auml;,&Ouml;,&Uuml;,&euro;,&szlig");
   $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig");
   $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß");
   for($wr=0;$wr<=count($tolist);$wr++) {
  	if ( $conv > 0 ) {
  		$string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
  	} else {
  	$string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
  	}
   }
   return $string;
}

 

Hi!

 

Using the code above I get now in FF:

ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ä,ü,Ä,Ö,Ü,€,ß,Ã,Ã,Ã,Ã,Ã,Ãœ,€,ß working

 

and under real conditions FF outputs:

Der Mindestbestellwert für diesen Gutschein beträgt 10,00 und wurde noch nicht erreicht

 

This is looking good, but where is the sign ?

 

For your information:

The biggest problem with osc_sec for me was the fact, it filtered umlauts in Order Editor.

After changing an address with unlauts and a page reload the umlauts were gone.

This was a really heavy limitation and making Order Editor close to useless.

After your very first code change I could work with Order Editor and umlauts :rolleyes:

Displaying an error message with wrong chars, which only some people may see,

is not that much important. So I was happy at the end to find a workaround for that.

 

 

Actually the situation changed:

 

The error messages display nearly perfect (beside the € sign),

but in Order Editior I have the same problem again:

All umlauts are removed aftter changing it and a page reload crying.gif

Share this post


Link to post
Share on other sites

I think the problem again is that for some reason some of these addons are calling constant defined variables via HTTP_GET_VARS instead of just calling the defined item directly.

 

However, these are some of the issues we have to face when working around each others addons.

 

Try this one out then. It is a bit of the old (as in a bit of the original fix) and a bit of the new.

 

Replace the entire piece above with this. It should at a guess, cause the order editor to work better.

 

 /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
    if ( is_array( $nodes ) ) {
  foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
 		      scrubster( $value );
               } else {
                     $nodes = preg_replace('/[^\w\s?,äöüÄÖÜ€ß=@%:{}\/.-]/i', '', urldecode( $nodes ) );
               }
         }
    } else {
         $nodes = preg_replace('/[^\w\s?,äöüÄÖÜ€ß=@%:{}\/.-]/i', '', urldecode( $nodes ) );
   }
   return $nodes;
 }

Share this post


Link to post
Share on other sites