[PHP-WEBMASTER] Bug #81460 [Nab->ReO]: Bad validation of input parameters of report.php

cmb Fri, 24 Sep 2021 09:49:45 -0700

Edit report at https://bugs.php.net/bug.php?id=81460&edit=1


 ID:                 81460
 Updated by:         c...@php.net
 Reported by:        ddpm at liscovius dot de
-Summary:            just a live bug test
+Summary:            Bad validation of input parameters of report.php
-Status:             Not a bug
+Status:             Re-Opened
 Type:               Bug
 Package:            Website problem
 PHP Version:        Irrelevant
 Block user comment: N
 Private report:     N

 New Comment:

Thank you for the clarification!  A PR would be welcome.


Previous Comments:
------------------------------------------------------------------------
[2021-09-24 16:36:29] ddpm at liscovius dot de

You might change the title to 'better validation of input parameters of 
report.php' or something like that.

I got full path with PHP8 when I change the in[passwd] to in[passwd][ooops] in 
the report.php form as POST parameter in[passwd]

Better add is_string() or similiar check before passing to hash_hmac().

Fatal error: Uncaught TypeError: hash_hmac(): Argument #2 ($data) must be of 
type string, array given in /var/www/html/bugs/include/functions.php:1692 Stack 
trace: #0 /var/www/html/bugs/include/functions.php(1692): hash_hmac() #1 
/var/www/html/bugs/www/report.php(224): bugs_get_hash() #2 {main} thrown in 
/var/www/html/bugs/include/functions.php on line 1692

Also spits 'Warning: Undefined array key "package_name" in 
/var/www/html/bugs/www/report.php on line 70' when I submit form without 
selecting a package_name on local dev engine with PHP8.0.10

------------------------------------------------------------------------
[2021-09-23 12:41:32] ni...@php.net

Assuming this is no longer needed...

------------------------------------------------------------------------
[2021-09-20 07:59:36] c...@php.net

> I assume bugs.php.net uses an older version or suppresses
> errors.

Likely both.

> will do github PR if verified.

Would be welcome anyway.

------------------------------------------------------------------------
[2021-09-19 22:55:26] ddpm at liscovius dot de

Seems ok here. I used PHP8.1RC2 on my dev box.

I assume bugs.php.net uses an older version or suppresses errors.

------------------------------------------------------------------------
[2021-09-19 22:51:31] ddpm at liscovius dot de

Description:
------------
Just trying if a bug appears also on live system.
Triggered it on my dev environment.

Test script:
---------------
will do github PR if verified.



------------------------------------------------------------------------



--
Edit this bug report at https://bugs.php.net/bug.php?id=81460&edit=1

-- 
PHP Webmaster List Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-WEBMASTER] Bug #81460 [Nab->ReO]: Bad validation of input parameters of report.php

Reply via email to