Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2020-12-24 13:23:23

Myusername
Member
Registered: 2019-12-12
Posts: 162

Forms with strange behavior

I am using forms to insert embeds in my publications. Twitter, youtube, instagram and etc. However, lately I’ve been noticing a little strange behavior that I can’t identify the problem.

For example, when I add an embed from Youtube, I should write the following:

<txp::youtube url="https://youtu.be/sY8gUtyeAKE" />

Here is the code of the form:

<txp:variable name="video_id" escape="tidy">
    <txp:php>
        $url = parse('<txp:yield name="url"/>');
        preg_match('%(?:youtube(?:-nocookie)?\.com/(?:[^/]+/.+/|(?:v|e(?:mbed)?)/|.*[?&]v=)|youtu\.be/)([^"&?/ ]{11})%i', $url, $match);
        $youtube_id = $match[1];
        echo $youtube_id;
    </txp:php>
</txp:variable>

<txp:if_variable name="if_page_amp" value="1">

    <div class="amp_video_wrap">
        <amp-youtube data-videoid='<txp:variable name="video_id"/>' layout="responsive" width="480" height="270"></amp-youtube>
    </div>

<txp:else/>

    <txp:if_yield name="full">
        <div class="p_video full video_wrap">
    <txp:else/>    
        <div class="p_video alinhado video_wrap">
    </txp:if_yield>

        <iframe src='https://www.youtube.com/embed/<txp:variable name="video_id"/>' frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

    </div>
</txp:if_variable>

I would say that everything is correct, even because everything works as expected, except that SOMETIMES NOT!

And when this bug happens, I just have to duplicate the publication and the form will work again. That is, this is not an error in the code, because I duplicated the article, so everything is exactly the same! But one works, the other doesn’t. Any explanation for that?

Offline

#2 2020-12-24 13:30:22

Myusername
Member
Registered: 2019-12-12
Posts: 162

Re: Forms with strange behavior

Okay, I think I managed to find the “problem”. Users who have lower privileges cannot add php to articles, correct? Any way for me to get around this?

Offline

#3 2020-12-24 13:54:21

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: Forms with strange behavior

Only publishers and managing editors can put PHP in articles (as long as the corresponding pref is set).

Yes you can get round it either by hacking admin_config.php to widen the permission scope there to lower tier user (not recommended unless you want to repatch after every upgrade).

Or, write a tiny admin plugin that runs on the Write panel and tinkers with the global $txp_permissions array. If you set that plugin to run low (below 5 load order) then it should kick in and alter the values in time so the panel will honour the save request that includes the PHP. Untested, but it should work.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#4 2020-12-24 13:57:02

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: Forms with strange behavior

Btw, there is a plugin: bot_privs I think. Or rah_privileges or something, I forget. These allow you to mess with the permissions en masse.

My smd_user_manager also does, but that’s more of a sledgehammer and doesn’t work with the most recent (Txp 4.7+) versions yet.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#5 2020-12-24 15:35:25

Myusername
Member
Registered: 2019-12-12
Posts: 162

Re: Forms with strange behavior

Users with low privileges cannot add PHP to articles, and that seems right to me.

But when it comes to the forms added to the articles, does that make sense? Anyway, only those who have access to them can create forms. No user with low privilege could add any PHP to the article, except through a form that can only be created by a user with the necessary privileges for that. That way, it would not limit users to using forms. And if it is the case that the administrator does not want the form to be used by a group of users, use txp:if_logged_in.

That was just a thought I had. Thanks for clarifying and giving me some options.

Offline

#6 2020-12-24 23:31:23

etc
Developer
Registered: 2010-11-11
Posts: 5,028
Website GitHub

Re: Forms with strange behavior

That looks reasonable (and easy to do), though not totally bw-compatible. Thoughts?

Offline

#7 2021-01-05 14:48:05

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,578
Website

Re: Forms with strange behavior

Myusername wrote #327790:

… No user with low privilege could add any PHP to the article, except through a form that can only be created by a user with the necessary privileges for that. That way, it would not limit users to using forms. And if administrators want to restrict a form’s use to a group of users, they could use txp:if_logged_in.

I’ve come up against this several times before. To get around this, I even went as far as making a mini plugin where a shortcode tag would have sufficed. So, I like Myusername’s suggestion. In summary that would be:

  • Low-privilege users can’t add txp:php directly to an article (as before).
  • Those same low-privilege users don’t have access to editing forms / pages (as before, I think).
  • Permit txp:php when encapsulated in a form called via a shortcode or output_form. Users are unable to edit it, so the onus is on the developer/admin to ensure it is safe.
  • Perhaps check that txp:php can’t be passed into a shortcode form via a yield statement or attribute.

Could we then regard that as being “sufficiently secure” against misuse by guest users?


TXP Builders – finely-crafted code, design and txp

Offline

#8 2021-01-05 15:43:20

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: Forms with strange behavior

jakob wrote #328045:

Low-privilege users can’t add txp:php directly to an article. Those same low-privilege users don’t have access to editing forms / pages.

Yes, I think this is how it works now. Would have to check.

Permit txp:php when encapsulated in a form called via a shortcode or output_form. Users are unable to edit it, so the onus is on the developer/admin to ensure it is safe.

That sounds reasonable.

Perhaps check that txp:php can’t be passed into a shortcode form via a yield statement or attribute.

I think this happens now already. Not sure. Here’s my simple test:

  1. Ensure prefs Allow PHP in articles and Allow PHP in pages are enabled.
  2. Create Form php_inject (content shown below) as a Publisher/Managing Editor user.
  3. Create article ‘PHP Test’ (content shown below) as a Copy Editor user.
  4. View the article. Result: Tag error: Textpattern Notice: Author is not permitted to use PHP code. while parsing form default on page default for both PHP blocks.
  5. Duplicate the article as a Publisher user. Just click Save.
  6. View the article. Result: Code runs as expected.

Form php_inject:

Running injected:
<txp:yield name="php" />

Running embedded:
<txp:php>
global $thisarticle;
dmp($thisarticle);
</txp:php>

Article:

<txp:output_form form="php_inject" php='<txp:php>global $pretext; dmp ($pretext);</txp:php>' />

So, from that, it seems as if passing PHP into forms is already forbidden IF the article is created by an author who does not have article.php privileges. So we must be checking the author name at runtime.

BUT, interestingly, Copy Editors have the ability to edit published articles, so if you switch back to your Copy Editor account, you can make changes to the Publisher’s original article, alter the PHP, save it and have your modified PHP code executed.

This definitely has merit as an idea. Having PHP ‘hard-coded’ inside a form should be permissible, but passing it in should not. A few questions/caveats:

  • Can we detect the difference between code passed in from a restricted account vs code already added to a shortcode/form by a more trusted user?
  • Would execution still be forbidden if ‘allow PHP in articles’ is off? Or is PHP in forms governed by the ‘allow PHP in pages’ pref?
  • What happens if someone uses an override form that contains PHP, when the prefs are in various states?

Either way, I think we need to review some of these user levels and their privileges as part of this.

Last edited by Bloke (2021-01-05 15:47:18)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#9 2021-01-05 16:37:41

etc
Developer
Registered: 2010-11-11
Posts: 5,028
Website GitHub

Re: Forms with strange behavior

Bloke wrote #328048:

BUT, interestingly, Copy Editors have the ability to edit published articles, so if you switch back to your Copy Editor account, you can make changes to the Publisher’s original article, alter the PHP, save it and have your modified PHP code executed.

DOH! Hilarious, as Jukka used to say. We should either enable PHP for Copy Editors or forbid editing admin articles or check LastModID when parsing <txp:php />.

Offline

#10 2021-01-05 16:51:40

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: Forms with strange behavior

etc wrote #328050:

DOH! Hilarious, as Jukka used to say. We should either enable PHP for Copy Editors or forbid editing admin articles or check LastModID when parsing <txp:php />.

I’m fine with any/all of the above. Whatever makes most sense when we review the privs. Or, y’know, now in 4.8.5 if we want to close the hole.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#11 2021-01-05 16:58:20

etc
Developer
Registered: 2010-11-11
Posts: 5,028
Website GitHub

Re: Forms with strange behavior

It looks like CE can edit Forms anyway, so option 1 for me.

Offline

#12 2021-01-05 17:04:30

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: Forms with strange behavior

etc wrote #328053:

It looks like CE can edit Forms anyway, so option 1 for me.

That makes sense. If we trust them to edit forms that can have PHP in them, then there’s not much issue with allowing them to do that in articles too.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

Board footer

Powered by FluxBB