Edit report at https://bugs.php.net/bug.php?id=81460&edit=1
ID: 81460 Updated by: aaronjun...@php.net Reported by: ddpm at liscovius dot de Summary: Bad validation of input parameters of report.php -Status: Re-Opened +Status: Closed Type: Bug Package: Website problem PHP Version: Irrelevant -Assigned To: +Assigned To: aaronjunker Block user comment: N Private report: N New Comment: The fix for this bug has been committed. Since the websites are not directly updated from the repository, the fix might need some time to spread across the globe to all mirror sites, including PHP.net itself. Thank you for the report, and for helping us make PHP.net better. Previous Comments: ------------------------------------------------------------------------ [2021-09-24 17:44:46] ddpm at liscovius dot de I **quickly** made some edits: https://github.com/php/web-bugs/pull/103 and https://github.com/php/web-bugs/pull/104 Please test/review. ------------------------------------------------------------------------ [2021-09-24 16:49:40] c...@php.net Thank you for the clarification! A PR would be welcome. ------------------------------------------------------------------------ [2021-09-24 16:36:29] ddpm at liscovius dot de You might change the title to 'better validation of input parameters of report.php' or something like that. I got full path with PHP8 when I change the in[passwd] to in[passwd][ooops] in the report.php form as POST parameter in[passwd] Better add is_string() or similiar check before passing to hash_hmac(). Fatal error: Uncaught TypeError: hash_hmac(): Argument #2 ($data) must be of type string, array given in /var/www/html/bugs/include/functions.php:1692 Stack trace: #0 /var/www/html/bugs/include/functions.php(1692): hash_hmac() #1 /var/www/html/bugs/www/report.php(224): bugs_get_hash() #2 {main} thrown in /var/www/html/bugs/include/functions.php on line 1692 Also spits 'Warning: Undefined array key "package_name" in /var/www/html/bugs/www/report.php on line 70' when I submit form without selecting a package_name on local dev engine with PHP8.0.10 ------------------------------------------------------------------------ [2021-09-23 12:41:32] ni...@php.net Assuming this is no longer needed... ------------------------------------------------------------------------ [2021-09-20 07:59:36] c...@php.net > I assume bugs.php.net uses an older version or suppresses > errors. Likely both. > will do github PR if verified. Would be welcome anyway. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=81460 -- Edit this bug report at https://bugs.php.net/bug.php?id=81460&edit=1 -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
