Edit report at https://bugs.php.net/bug.php?id=81460&edit=1
ID: 81460 Comment by: ddpm at liscovius dot de Reported by: ddpm at liscovius dot de Summary: Bad validation of input parameters of report.php Status: Re-Opened Type: Bug Package: Website problem PHP Version: Irrelevant Block user comment: N Private report: N New Comment: I **quickly** made some edits: https://github.com/php/web-bugs/pull/103 and https://github.com/php/web-bugs/pull/104 Please test/review. Previous Comments: ------------------------------------------------------------------------ [2021-09-24 16:49:40] [email protected] Thank you for the clarification! A PR would be welcome. ------------------------------------------------------------------------ [2021-09-24 16:36:29] ddpm at liscovius dot de You might change the title to 'better validation of input parameters of report.php' or something like that. I got full path with PHP8 when I change the in[passwd] to in[passwd][ooops] in the report.php form as POST parameter in[passwd] Better add is_string() or similiar check before passing to hash_hmac(). Fatal error: Uncaught TypeError: hash_hmac(): Argument #2 ($data) must be of type string, array given in /var/www/html/bugs/include/functions.php:1692 Stack trace: #0 /var/www/html/bugs/include/functions.php(1692): hash_hmac() #1 /var/www/html/bugs/www/report.php(224): bugs_get_hash() #2 {main} thrown in /var/www/html/bugs/include/functions.php on line 1692 Also spits 'Warning: Undefined array key "package_name" in /var/www/html/bugs/www/report.php on line 70' when I submit form without selecting a package_name on local dev engine with PHP8.0.10 ------------------------------------------------------------------------ [2021-09-23 12:41:32] [email protected] Assuming this is no longer needed... ------------------------------------------------------------------------ [2021-09-20 07:59:36] [email protected] > I assume bugs.php.net uses an older version or suppresses > errors. Likely both. > will do github PR if verified. Would be welcome anyway. ------------------------------------------------------------------------ [2021-09-19 22:55:26] ddpm at liscovius dot de Seems ok here. I used PHP8.1RC2 on my dev box. I assume bugs.php.net uses an older version or suppresses errors. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=81460 -- Edit this bug report at https://bugs.php.net/bug.php?id=81460&edit=1 -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
