Bug #23407
closed
code issue in method getCookie()
0%
Description
There are two issues with the getCookie function in t3lib_userauth.php:
protected function getCookie($cookieName) {
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = t3lib_div::trimExplode(';', $_SERVER['HTTP_COOKIE']);
foreach ($cookies as $cookie) {
list ($name, $value) = t3lib_div::trimExplode('=', $cookie);
=1=> if ($name == $cookieName) {
// Use the last one
=2=> $cookieValue = stripslashes($value);
}
}
} else {
// Fallback if there is no HTTP_COOKIE, use original method:
$cookieValue = isset($_COOKIE[$cookieName]) ? stripslashes($_COOKIE[$cookieName]) : '';
}
return $cookieValue;
}
=1=
Strings should be compared using strcmp(), as numeric strings are compared numeric. So cookie names like 1.23E3 wouldn't work.
=2=
should be $cookieValue = urldecode($value)
stripslashes() is not needed as $_SERVER is not affected by magic_quotes.
Original post has been translated by Steffen Gebert
Original post:
Bei der Durchsicht der Typo3-Datei /t3lib/class.t3lib_userauth.php habe ich ein paar kleine Fehler im Code entdeckt:
protected function getCookie($cookieName) {
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = t3lib_div::trimExplode(';', $_SERVER['HTTP_COOKIE']);
foreach ($cookies as $cookie) {
list ($name, $value) = t3lib_div::trimExplode('=', $cookie);
=1=> if ($name == $cookieName) {
// Use the last one
=2=> $cookieValue = stripslashes($value);
}
}
} else {
// Fallback if there is no HTTP_COOKIE, use original method:
$cookieValue = isset($_COOKIE[$cookieName]) ? stripslashes($_COOKIE[$cookieName]) : '';
}
return $cookieValue;
}1. Stelle:
Der "==" Operator vergleicht numerische Strings numerisch. Im allgemeinen Fall würde dieser Vergleich deshalb nicht für exotische Cookienamen wie z.B. "1.23E3" funktionieren. Ersatz: strcmp()
2. Stelle:
Die markierte Zeile sollte meiner Meinung nach so aussehen:
$cookieValue = urldecode($value);
"stripslashes" ist nicht nötig, da $_SERVER-Variablen von den magic quotes nicht beeinflusst werden und "urldecode" ist nötig, um den Wert zu dekodieren.
Im Falle der Sessions spielt dies in der Praxis natürlich keine Rolle. Eine kleine Optimierung wäre ebenfalls möglich: Der erste Aufruf von "trimExplode" kann durch das normale "explode" ersetzt werden.
Herzlichen Dank für Ihre Arbeit an typo3 und freundliche Grüsse
(issue imported from #M15503)
Files
Updated by Steffen Gebert over 14 years ago
Thanks for your report, Michael!
As TYPO3 is not only a german project, we're talking english here ;-)
I see the problem with the comparison. That's why our Coding Guidelines advice us to use strict comparison using === for strings.
Could you create a patch against the SVN repository [1] and later send it to the core team mailing list [2] to get this into the next release of TYPO3?
Thanks for helping to make TYPO3 a better CMS!
Steffen
[1] https://svn.typo3.org/TYPO3v4/Core/trunk/
[2] http://typo3.org/teams/core/core-mailinglist-rules/
Updated by Michael Buergi over 14 years ago
Hi Steffen
sorry and thanks for the translation. I had mailed that bug to Ernesto Baschny a while ago. since nothing happened, I decided to post it here. most people here seem to speak german, so I saved myself a bit of time...
the patch is ready. I have uploaded it here and I will mail it to the core team soon.
regards
Mike
Updated by Steffen Gebert over 14 years ago
Hi Michael,
thanks. The bug tracker here is the right place for this ;-)
Doesn't === do the same job like your strcmp()? If yes, please change it, as it's more readable.
One question: I think getCookie() is only used while authentication, so only (fe|be)_typo_user are the used cookie names. Did you have a closer look? Is there really a case, where such problematic cookies can be set?
Updated by Michael Buergi about 14 years ago
Hi Steffen
Doesn't === do the same job like your strcmp()? If yes, please change it, as it's more readable.
I prefer strcmp() because I want the arguments typecasted to strings before the comparison. therefore it is not equivalent.
about your 2nd question:
you are right. it is currently only used for reading the auth cookies. But you never know... code gets duplicated all the time. and it would be better to duplicate a getCookie() method that works on all cases than a special version just for auth cookies.
Nevertheless, I think, it would be best to have a method in t3lib_div that reads cookies:
like
public static function _COOKIE($var, $allow_multiple_cookies= false) {
...
}
if $allow_multiple_cookies == true, this method would work like our auth getCookie(). otherwise, it would return $_COOKIE[$var]
Updated by Michael Buergi about 14 years ago
I'm about the post this patch to the core mailing list. added a new patch file that uses a file path that is relative to the typo3 root folder.
Updated by Steffen Gebert about 14 years ago
Committed to
- trunk rev. 9208
- 4-4 rev. 9207
- 4-3 rev. 9206
- 4-2 rev. 9205
Thanks for your contribution, Michael!
Updated by