phpCOIN

Pages: (2) [1] 2  ( Go to first unread post ) Reply to this topicStart new topicStart Poll

> Email Appears To Be Invalid., Email appears to be invalid.
mkdir
Posted: February 16, 2015 07:50 am
Quote Post


Newbie
*

Group: Members
Posts: 4
Member No.: 4,628
Joined: February 16, 2015



I have installed phpCOIN 1.6.5 fixed by own3mall on PHP 5.4, but I have the following problem. Whenever I try to add a new client gives error in the email field.

Email appears to be invalid.
PMEmail Poster
Top
lightman
Posted: February 16, 2015 06:19 pm
Quote Post


The Janitor
***

Group: Admin
Posts: 3,639
Member No.: 3
Joined: August 25, 2006



We do have a user kindly working on a version of phpCOIN that should be compatible with PHP 5.4.x but I have no date at the moment as to when this might be finished.

As to user contributed fixs and code - my suggestion would be to contact own3mall directly smile.gif


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
own3mall
Posted: February 21, 2015 02:54 am
Quote Post


Member
**

Group: Developers
Posts: 14
Member No.: 4,114
Joined: December 20, 2009



I'll look into this and test it on PHP 5.5.
PMEmail Poster
Top
own3mall
Posted: February 21, 2015 03:15 am
Quote Post


Member
**

Group: Developers
Posts: 14
Member No.: 4,114
Joined: December 20, 2009



In coin_includes/core.php, please find the following section:

CODE

function do_validate_email($email, $CheckDomain) {

$bademail = 0;



// Use PHP 5.4 Preg_Match

 // eregi is deprecated

 // fixed by own3mall



 // Old Deprecated

// IF (!eregi("^" . "[[:alnum:]]+([_\\.-][[:alnum:]]+)*" . "@" . "([[:alnum:]]+([\.-][[:alnum:]]+)*)+" . "\\.[[:alpha:]]{2,}" . "$", $email, $regs)) {



$pattern = "\"/^[[:alnum:]]+([_\\.-][[:alnum:]]+)*@([[:alnum:]]+([\.-][[:alnum:]]+)*)+\\.[[:alpha:]]{2,}$/i\"";



if(!preg_match($pattern, $email, $regs)){

 $bademail = 1;

} ELSE {

 list($User, $Host) = split("@", $email);

 IF ($CheckDomain) {

  IF (($Host) && (gethostbyname($Host) == $Host)) {$bademail = 2;}

 }

}

return $bademail;

}


And replace it with:

CODE

function do_validate_email($email, $CheckDomain) {

$bademail = 0;



// Use PHP 5.4 Preg_Match

 // eregi is deprecated

 // fixed by own3mall



 // Old Deprecated

// IF (!eregi("^" . "[[:alnum:]]+([_\\.-][[:alnum:]]+)*" . "@" . "([[:alnum:]]+([\.-][[:alnum:]]+)*)+" . "\\.[[:alpha:]]{2,}" . "$", $email, $regs)) {



$pattern = '/^(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){255,})(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){65,}@)(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22))(?:\\.(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22)))*@(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-9]+(?:-+[a-z0-9]+)*\\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-+[a-z0-9]+)*)|(?:\\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-9][:\\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\\]))$/iD';



if(!preg_match($pattern, $email, $regs)){

 $bademail = 1;

} ELSE {

 list($User, $Host) = split("@", $email);

 IF ($CheckDomain) {

  IF (($Host) && (gethostbyname($Host) == $Host)) {$bademail = 2;}

 }

}

return $bademail;

}


Sorry, the code blocks on the forum don't seem to keep the spacing that my editor shows...

Updated my unofficial release version with this change here:

http://dinofly.com/files/phpcoin_v166_own3mall_bugfixes.zip

This post has been edited by own3mall on February 21, 2015 03:19 am
PMEmail Poster
Top
own3mall
Posted: February 21, 2015 03:27 am
Quote Post


Member
**

Group: Developers
Posts: 14
Member No.: 4,114
Joined: December 20, 2009



Please let me know if you find more bugs! I'd be happy to fix them.
PMEmail Poster
Top
mkdir
Posted: February 23, 2015 12:50 pm
Quote Post


Newbie
*

Group: Members
Posts: 4
Member No.: 4,628
Joined: February 16, 2015



Thanks for help smile.gif
PMEmail Poster
Top
mkdir
Posted: March 19, 2015 08:26 pm
Quote Post


Newbie
*

Group: Members
Posts: 4
Member No.: 4,628
Joined: February 16, 2015



QUOTE (own3mall @ February 21, 2015 02:27 am)
Please let me know if you find more bugs! I'd be happy to fix them.

I find one more bug. when I change or add some link (Links Misc.) and saved, it removes the http://
PMEmail Poster
Top
lightman
Posted: March 20, 2015 09:20 am
Quote Post


The Janitor
***

Group: Admin
Posts: 3,639
Member No.: 3
Joined: August 25, 2006



I think the removal of the http:// is coming from the emergency security.php file that I attempted to code in response to the last round of exploits that were attacking the program - it really needs a 'proper' (eg someone other than me !!) developer to go over it and revise it. !


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
own3mall
Posted: March 24, 2015 09:46 pm
Quote Post


Member
**

Group: Developers
Posts: 14
Member No.: 4,114
Joined: December 20, 2009



QUOTE (lightman @ March 20, 2015 08:20 am)
I think the removal of the http:// is coming from the emergency security.php file that I attempted to code in response to the last round of exploits that were attacking the program - it really needs a 'proper' (eg someone other than me !!)  developer to go over it and revise it. !

I see what you did there in the function "do_parse_input_data"...

There are several things we could do about this bug.

1. If the user is not an admin, we could strip_tags on all input instead of using that array of tags you're stripping out. This would strip all tags out from client and anonymous user input. However, we would exclude admin input from being stripped, as the Admin should be able to edit pages and use HTML within those pages. So basically, we assume admins are the only ones that can use HTML in their input.

2. I could fix this individual bug by calling make_valid_link function.

I like idea #1 the best because it would greatly improve security. However, I'm not sure if at any point a client should be able to input HTML... I'm not as familiar as you are with the usage of phpCOIN, as my own usage for it is very basic.

We could also specify exceptions in strip_tags function. If you want to go that route, let me know which tags should be allowed or if we should strip all tags from client or anonymous user input.

Please let me know what you think, and I'll fix it.


::EDIT::

It looks like that function is only used for ORDER action and in a few more places. So, it shouldn't hurt to put strip_tags there and get rid of that array in config.php. This doesn't solve the bug though, so your change had nothing to do with it. I think I know how to fix it though.

In security.php, it is removing any entry of http:// and https:// after strip_tags has been called. I removed that because strip_tags will make the input safe. http:// is fine for input, especially URL input. That fixes this bug. Thoughts on this?

This post has been edited by own3mall on March 24, 2015 10:36 pm
PMEmail Poster
Top
lightman
Posted: March 25, 2015 06:05 am
Quote Post


The Janitor
***

Group: Admin
Posts: 3,639
Member No.: 3
Joined: August 25, 2006



The issue I was facing was that we need http:// and https:// and ftp:// to be inserted in orders, domains, helpdesk, emails, notes etc BUT I was struggling to deal with XSS and RFI calls that were successfully downloading and running webshell code to the apache tmp folder.

My preference would be to validate all data within acceptable known input parameters (rather than just strip out everything that might be harmful), and prevent any exec or XSS or RFI from input being parsed from the input data that did allow them..

It seemed to be a task that needed the the core code being updated or a massive security file dealing with every input variable on a case by case basis and user/loged-in-user/admin status - way past my pay grade unsure.gif

Any suggestions are welcome - I am just not sure I am sufficiently qualified to be able to make an educated judgement call on them sad.gif


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
own3mall
Posted: April 01, 2015 12:06 am
Quote Post


Member
**

Group: Developers
Posts: 14
Member No.: 4,114
Joined: December 20, 2009



After carefully researching our options to solve this problem, I have added the HTML Purifier library to the force edition of phpCOIN. A new EnhancedSecurity class has been added with the isAdmin function and the calls needed to the HTML Purifier library.

Admin user input will be purified by this library. All HTML input by an admin is allowed as long as it is not deemed malicious by the HTML Purifier library.

Normal users are not allowed to use any HTML markup. php's default strip_tags function is used for normal users. This should stop all HTML input from non-admin users. I don't see a situation in which we allowed customers or anonymous users to use HTML, so I think this is a safe bet. As for cross site scripting concerns, it looks like we do not use any customer or anonymous user input in attributes for HTML markup, so I believe strip_tags is sufficient and will work to filter all HTML from non-admin users.

Please test the version below which should solve the original issue you posted about mkdir:

http://sourceforge.net/projects/phpcoinfor...ot.zip/download

To install, simply extract the files and replace all existing phpCOIN files EXCEPT FOR config.php with the new ones.

If anyone identifies a case where strip_tags is not enough, please let me know.
PMEmail Poster
Top
lightman
Posted: April 01, 2015 05:50 am
Quote Post


The Janitor
***

Group: Admin
Posts: 3,639
Member No.: 3
Joined: August 25, 2006



QUOTE
I don't see a situation in which we allowed customers or anonymous users to use HTML
If HTML is enabled in support and emails..........?


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
own3mall
Posted: April 01, 2015 10:04 pm
Quote Post


Member
**

Group: Developers
Posts: 14
Member No.: 4,114
Joined: December 20, 2009



QUOTE (lightman @ April 01, 2015 04:50 am)
If HTML is enabled in support and emails..........?

You can use HTML for the email templates since an Admin modifies that.

Normal users should not be writing email messages that contain HTML ever in my opinion. That's asking for trouble. What's important in emails is the message, not the HTML that formats it differently.
PMEmail Poster
Top
lightman
Posted: April 02, 2015 04:53 am
Quote Post


The Janitor
***

Group: Admin
Posts: 3,639
Member No.: 3
Joined: August 25, 2006



QUOTE
Normal users should not be writing email messages that contain HTML ever in my opinion. That's asking for trouble. What's important in emails is the message, not the HTML that formats it differently.
I agree with you wholeheartedly.....but the HTML option for users was included as a result of popular demand !


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
own3mall
Posted: April 09, 2015 10:41 pm
Quote Post


Member
**

Group: Developers
Posts: 14
Member No.: 4,114
Joined: December 20, 2009



QUOTE (lightman @ April 02, 2015 03:53 am)
I agree with you wholeheartedly.....but the HTML option for users was included as a result of popular demand !

OK, so where exactly can a normal user enter HTML, and can you give me instructions on how to get there as a regular user? I haven't found this spot yet, but I can always mark the sections where a normal user can use HTML to use the purifier library.
PMEmail Poster
Top
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic OptionsPages: (2) [1] 2  Reply to this topicStart new topicStart Poll

 


Inscrita el Registro Mercantil de Mallorca Tomo 2140, Hoja No. PM-51034, Folio 135
This website owned and operated by: Technology Services RPVW S.L. CIF# B57345084
Avda Constitucion 48 Bajos Alaro 07340 Baleares SPAIN
Tel:+34 971518362    Fax: +34 971518368    eMail: support@phpcoin.com