Textpattern Forum

You are not logged in. Register | Login | Help

#1 2012-07-26 17:21:32

zero
Member
From: Lancashire
Registered: 2004-04-19
Posts: 1,031
Website

Tag error txp:php

I am getting this error message: Tag error: <txp:php> -> Notice: Undefined index: s3 on line 2

The s3 is used in my <head> like so:

<txp:php> 
if ($_COOKIE['s3']) { ?> 
<link rel="stylesheet" type="text/css" media="print" href="<txp:site_url />css/<?= $_COOKIE['s3']; ?>.css" /> <?php } </txp:php>

I have option for 3 styles. Clicking one sends the style to switch.php which sends cookie s3 to the document. (AFAIK, I didn’t write the php)

On first load of a page in a new browser, I get the error message. If I click a style I no longer get the error message. How do I set a default or something so that s3 is defined or the error message does not appear?

switch.php goes like this:

<?php 
$domain = "mysite.com"; 
if (stristr($_SERVER['HTTP_REFERER'], $domain)) { 
 $bounce_url = $_SERVER['HTTP_REFERER']; 
} else { 
 $bounce_url = "http://$domain/"; 
} 
setcookie('s3', $_GET['style'], time() + 31536000); 
header("Location: $bounce_url"); 
?>

Last edited by zero (2012-07-26 17:27:44)


TXPQ Examples and discussion of Textpattern CMS quality.

Offline

#2 2012-07-26 18:10:47

Gocom
Developer
Registered: 2006-07-14
Posts: 4,403
Website

Re: Tag error txp:php

Peter, I’m glad you were getting the notices which prompted you to ask help here. Not because of issues are fun or that I want your life be miserable, but because of there are some bigger things wrong with the mentioned code in terms of security.

The error message, well notice, you are getting popups because the script has some validity issues and doesn’t check whether the cookie exists before trying to access it. Not anything utmost critical. What is bad about the script are security issues, most notably, the script allows an attacker to execute any code on the server due to poor XSS handling.

switch.php?style=<txp:php> safe_delete('textpattern', '1=1'); </txp:php>

Requesting the above would delete all articles from the site’s database. This is due to the script returning any value from the HTTP cookie to the page template without sanitizing it first. As a cookie comes from a client directly, this can be used to inject anything to the page template. Due to Textpattern’s tag parsing, this injected value is then parsed and executed as a server-side code.

Okay. Let’s start from the <head>‘s PHP block and clean it a bit too. Variable and if_variable tags offer a great way to do generic comparison operations. They can make the syntax much easier to read and understand. Like so:

<txp:variable name="style"><txp:php>
	echo htmlspecialchars(cs('s3'));
</txp:php></txp:variable>

<txp:if_variable name="style">
	<link rel="stylesheet" type="text/css" media="print" href="<txp:site_url />css/<txp:variable name="style" />.css" />
</txp:if_variable>

To provide appropriate security against injections, the above uses htmlspecialchars() to clear the cookie’s value. A Textpattern’s own function, cs() is used to return the cookies value. It’s used to prevent notices you were seeing.

The switch.php doesn’t have as big issues. Well, it’s merely vulnerable to CSRF attacks and can be used to do redirection injections. Client-side stuff. Nothing as horribly dangerous.

This switcher can be implemented in directly Textpattern’s page template which then cuts the need of redirects. For instance the following could be placed to the very top of the page template:

<txp:php>
	if(gps('style')) {
		setcookie('s3', gps('style'), time() + 31536000);
		$_COOKIE['s3'] = gps('style');
	}
</txp:php>

The above creates the same cookie as the switch.php. When creating the cookie, it also writes it to the memory which cuts down the need of the redirection.

Last edited by Gocom (2012-07-26 18:13:09)


Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />

Offline

#3 2012-07-26 19:10:10

zero
Member
From: Lancashire
Registered: 2004-04-19
Posts: 1,031
Website

Re: Tag error txp:php

Thanks Jukka. I’ve used that php style switcher on a few sites so I’ve been extremely lucky someone hasn’t deleted my database! Similar to last month when you saved me from disastrous code connected with cookie. I am very grateful, as must be many people on this forum.

I now have to figure out how to tell the top-of-page php that there is a style. I had this before:

Choose font size: <span id="smallish">
<a href="<txp:site_url />switch.php?style=small">o</a>
</span>

I’m sure it is very simple but it hasn’t clicked with me yet… I don’t understand the gps bit. Do I use adi_gps?


TXPQ Examples and discussion of Textpattern CMS quality.

Offline

#4 2012-07-26 19:46:56

Gocom
Developer
Registered: 2006-07-14
Posts: 4,403
Website

Re: Tag error txp:php

Nah, no plugins are required or anything like that. That gps bit in the PHP is all core stuff. It returns the value of HTTP GET parameter named style. That almost same link works. If you have the switcher snippet at the top of each page, you can just merely drop the switch.php and site URL part from the link. Like so:

Choose font size: <span id="smallish">
	<a href="?style=small">o</a>
</span>

The above creates a relative link that loops back to the same directory. This will keep you on the same page/context as long as clean URLs are used, and no other URL parameters are present. If Textpattern’s messy URLs are used it would direct you to the home page as it overwrites the current URL parameters. This can be aided by simple adding all the other appropriate parameters to the URL that need to be kept. Using request URI could be an option too. E.g.

Choose font size: <span id="smallish">
	<a href="?s=<txp:section />&amp;c=<txp:category /><txp:if_individual_article>&amp;id=<txp:article_id /></txp:if_individual_article>&amp;style=small">o</a>
</span>

The above keeps parameters as s (section), c (category) and id (article) in the target URL. This is, for the most part, only needed for a site using messy URL mode. For clean URLs the first option is enough.


Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />

Offline

#5 2012-07-26 20:35:04

zero
Member
From: Lancashire
Registered: 2004-04-19
Posts: 1,031
Website

Re: Tag error txp:php

Brilliant Jukka! You make it so simple and explain it very clearly. I think ?style would have come to me eventually but without you explaining it, I wouldn’t really have known why/how it works. Then again, I’ve probably read about it or even used it before somewhere and simply completely forgotten it! Ah, the joys of old age! I learn something new every day, even if it is the same as I learned last week! It’s great being able to watch old films four times and each time am convinced I’ve never seen it before ;-)


TXPQ Examples and discussion of Textpattern CMS quality.

Offline

Board footer

Powered by FluxBB