I have issue in decoding a url received from an iOS app; the url is of th kind:
percorsoWithOption.php?partenza=Via%20Gaspare%20Balbi%202–8&arrivo=Via%20Conca%20d'Oro&language=it_IT&latitude=41.717835&longitude=12.311369&endLatitude=41.679623&endLongitude=12.484474&json=1
and when I try to decode it at the following:
Online decoder
it is decoded just fine.
Yet when I apply:
if (isset($_GET['arrivo'])) $arrivo=$_GET['arrivo'];
if (isset($_GET['partenza'])) $partenza=$_GET['partenza'];
error_log("*inizio**departure=$partenza, arrival=$arrivo, latitude=$latitude, longitude=$longitude");
if (isset($partenza)) $partenza=urldecode($partenza);
if (isset($arrivo)) $arrivo=urldecode($arrivo);
error_log("***departure=$partenza, arrival=$arrivo, latitude=$latitude, longitude=$longitude");
the logs report the values nearly unchanged:
[Tue Dec 01 12:25:22.566615 2015] [:error] [pid 20812] [client
82.61.145.186:37526] *inizio**departure=Via Gaspare Balbi 2\xe2\x80\x938, arrival=Via Conca d'Oro, latitude=41.717835,
longitude=12.311369 [Tue Dec 01 12:25:22.569876 2015]
[:error] [pid 20812] [client 82.61.145.186:37526] ***departure=Via Gaspare Balbi
2\xe2\x80\x938, arrival=Via Conca d'Oro, latitude=41.717835,
longitude=12.311369
basically the 2\xe2\x80\x938 is left untouched.
It's not "nearly unchanged", it's URL-decoding just fine. The only issue is that the en dash is showing up as "\xe2\x80\x93" in your log.
It's unclear whether this is an issue of how values are logged or viewed, or whether the value is actually "\xe2\x80\x93". To test this, use bin2hex() on your string and see whether it shows up as e28093 (just the – character) or 5c78... (literally "\x...").
That en dash should be sent URL-encoded as %E2%80%93 in the URL, not as the raw character. Fix this on the client.
I ended up using:
-(NSString*)stripNonStandardAndEncode:(NSString*)origin{
NSMutableCharacterSet *charactersToKeep = [NSMutableCharacterSet alphanumericCharacterSet];
[charactersToKeep addCharactersInString:#" ,.'"];
NSCharacterSet *charactersToRemove = [charactersToKeep invertedSet];
NSString *trimmedReplacement = [[ origin componentsSeparatedByCharactersInSet:charactersToRemove] componentsJoinedByString:#""];
return [trimmedReplacement stringByAddingPercentEscapesUsingEncoding:NSUTF8StringEncoding];
}
And now php handles it seamlessly: url decode may have some issue with character '-'
You can use rawurldecode function.
Related
I have ran a security scan in my website and scan report showing security thread in below URL, saying "HTTP header injection vulnerability in REST-style parameter to /catalog/product/view/id"
The following URL adding the custom header XSaint:test/planting-a-stake/category/99 in HTTP Response header.(See the last line in Response Header)
I tried different solutions but no luck! Can any one suggest me to prevent the modifying HTTP Response header.
URL: /catalog/product/view/id/1256/x%0D%0AXSaint:%20test/planting-a-stake/category/99
Response Header:
Cache-Control:max-age=2592000
Content-Encoding:gzip
Content-Length:253
Content-Type:text/html; charset=iso-8859-1
Date:Fri, 26 May 2017 11:27:12 GMT
Expires:Sun, 25 Jun 2017 11:27:12 GMT
Location:https://www.xxxxxx.com/catalog/product/view/id/1256/x
Server:Apache
Vary:Accept-Encoding
XSaint:test/planting-a-stake/category/99
HTTP header injection vulnerability is related to someone injecting data in your application that can be used to insert arbitrary headers (see https://www.owasp.org/index.php/HTTP_Response_Splitting).
In this specific case, the scanner assume the vulnerability might come from the URI put in the Location header:
Location:https://www.xxxxxx.com/catalog/product/view/id/1256/x
The need here is to ensure that the data put into this URI cannot embed the line return characters, to quote the OWASP HTTP Response Splitting page:
CR (carriage return, also given by %0d or \r)
LF (line feed, also given by %0a or \n)
This question already has answers here:
Why shouldn't I use mysql_* functions in PHP?
(14 answers)
Closed 8 years ago.
So PHP is having a lot of trouble dealing with ' characters in strings recently in one of my projects, and I think the main reason behind this is for some crazy reason it's doubling the \ character. I've checked, and magic quotes are off (so this is not the culprit). Anyways, given the following code:
26 $comments = $_POST['comments'];
27 error_log("comments: '$comments'");
28 $comments = mysql_real_escape_string($_POST['comments']);
29 error_log("escaped comments: '$comments'");
I'm seeing the following in the error log:
[Sun Oct 19 14:18:53 2014] [error] [client XXXX] comments: 'something elsewearwerawer's woeimrowiamrw', referer: ...
[Sun Oct 19 14:18:53 2014] [error] [client XXXX] comments escaped: 'something elsewearwerawer\\'s woeimrowiamrw', referer: ...
Even worse, I still see the same behavior after swapping things over to PDO:
error_log("quoted: '" . $db_pdo->quote($comments) . "'");
Even when I do something simple like:
error_log('\\');
or
error_log("\\");
The error log shows:
[Sun Oct 19 17:44:57 2014] [error] [client XXXX] \\, referer: ...
Any idea what is going on here? I'm worried because it looks like this means mysql_real_escape_string (or PDO) is not correctly escaping single quotes in strings, which could lead to a SQL injection. Whenever I try and update/insert with a string with a ' in it, even after calling mysql_real_escape_string or by using quote (or bindParam with a string), it doesn't insert anything after the '
SOLVED: After digging deeper it was actually inserting things into the database correctly, the error was happening on the other end of things when the webpage was pulling from the database and not dealing with the ' correctly, so it was getting cut off in the html.
Your escaping actually looks normal, it only looks like there is double escaping going on because Apache escapes backslashes in its log as described here. Thus, when you see \\' in the log, it is actually just \' in the string you have in PHP. If you want to test this, echo the escaped string instead of using error_log.
You need to turn off magic_quotes_gpc parameter in your php.ini config.
http://php.net/manual/en/security.magicquotes.disabling.php
As a workaround you can remove the slashes it's adding automatically, using stripslashes(), by doing this:
$comments = mysql_real_escape_string( stripslashes( $_POST['comments'] ) );
or this (using PDO)
$comments = $db_pdo->quote( stripslashes( $comments ) );
I have some severely deprecated PHP code that I'm sifting through. One of the problems that I have is hundreds of errors like this:
[Mon Dec 09 07:00:33 2013] [error] [client 127.0.0.1] PHP Notice: Use of undefined constant id - assumed 'id' in /home/srv/site.local/content/online.php on line 171, referer: http://site.local/index.php
These result in the practice of a previous coder of calling arrays like this:
$array[some_element]
instead of:
$array['some_element']
So I know how to fix that by going through each file and adding the quotes, over, and over, and over again. My question is how to write script for this. I imagine this might be a sed or awk script, but I'm not sure. I'm going to start working on a sed as soon as I'm done posting this, but any suggestions?
I don't know anything about php, so I'm not sure whether this solution is a particularly good one:
sed "s|\[[ ]*|\[\'|g;s|[ ]*\]|\'\]|g" test.in
example of use:
[fixarraysubscript $] cat test.in
$array[some_element]
$name1[index]
$name2[index]
$name3[ id ]
$name4[ id2 ]
[fixarraysubscript $]
[fixarraysubscript $] sed "s|\[[ ]*|\[\'|g;s|[ ]*\]|\'\]|g" test.in
$array['some_element']
$name1['index']
$name2['index']
$name3['id']
$name4['id2']
[fixarraysubscript $]
obviously my input file is somewhat contrived. If this doesn't work for you, please feel free to post some real input.
This may work with gnu awk
echo '$array[some_element]' | awk '{print gensub(/\$([^[]+)\[([^]]+)]/,"$\\1["q"\\2"q"]","g")}' q="'"
$array['some_element']
For your file
awk '{print gensub(/\$([^[]+)\[([^]]+)]/,"$\\1["q"\\2"q"]","g")}' q="'" file
or
awk '{print gensub(/\$([^[]+)\[([^]]+)]/,"$\\1[\x27\\2\x27]","g")}' file
EDIT: Changed regex to reflect variable array name.
The thing is very simple:
$results = ldap_search( $ldapconn, 'DC=testdomain,DC=com',
'(&(objectClass=user)(objectClass=computer))' );
This works, getting 3 results.
However, negating the second expression as defined in many manuals and tutorials, returns in Bad Search Filter:
$results = ldap_search( $ldapconn, 'DC=testdomain,DC=com',
'(&(objectClass=user)(!objectClass=computer))' );
Any help?
[Wed Apr 10 16:59:05 2013] [error] [client 127.0.0.1] PHP Warning:
ldap_search(): Search: Bad search filter in /var/www/test2.php on line
29
I think it's because I trusted Microsoft Active Directory's Documentation on LDAP:
http://technet.microsoft.com/en-us/library/aa996205%28v=exchg.65%29.aspx
Other sites mentions the (!(expression)) like http://www.google.com/support/enterprise/static/postini/docs/admin/en/dss_admin/prep_ldap.html
I'm having trouble with a sendmail command.
I'm pulling the values out of a database call, and they look good.
The mail command looks like this:
sendmail(urldecode($row['tracker']),urldecode($row['recipient']),urldecode($row['docurl']),urldecode($row['last_accessed']));
function sendmail($vtracker,$vrecip,$vrawurl,$viewed){
$to = $vtracker;
$subject = $vrecip . " has viewed the presentation you sent them.</br>";
$body= "Full document url: " . $vrawurl . "<br/>".
"Time and Date Viewed: :" .$viewed ;
if (!mail($to, $subject, $body)) {
echo("<p>Message delivery failed...</p>");
}
}
I echoed all the variables and they look ok:
$vtracker: Bob ;
$vrecip : gregmcg#yahoo.com ;
$vrawurl : https://docs.google.com/a/advetel.com/present/edit?id=0Ac_KwUsBMiw8ZGN2Z3N3cDlfMTc3c2Jubng0Z2Q ;
$viewed : Mon, 20 Feb 2012 10:36:22 CST ;
I'm getting an error (retrieved from the error log on the server) that looks like this.
[error] [client 66.249.68.23] File does not exist: /var/chroot/home/content/m/3/s/m3sglobal/html/broadband/missing.html
[Tue Feb 21 20:17:15 2012] [error] [client 70.113.8.83] Failed loading /usr/local/zo/4_3/ZendOptimizer.so: /usr/local/zo/4_3/ZendOptimizer.so: undefined symbol: empty_string
[Tue Feb 21 20:17:17 2012] [error] [client 70.113.8.83] malformed header from script. Bad header=/home/content/m/3/s/m3sglobal/: Nitrofill_Presentation.php
Why is the header "malformed"?
I think it wouldn't hurt to spend a bit more time with RFC 2822.
Your to field is populated with Bob. That it not a legal address. The format of valid email addresses is quite complicated but these days, addresses generally are of the form localpart#domain. (Older formats that allowed delivery to UUCP addresses via % username specifiers or ! bang-paths are often not supported; further, username#[<ip address>] may or may not be supported on different servers or configurations. In general, there must be an # in an email address to separate the local part from the domain.)
You also appear to be using user-supplied data without any confirmation that it isn't performing header injection attacks. (See also the suhosin project's documentation about suhosin.mail.protect.)
Your subject field includes a </br>, which is pointless, since the Subject: header is interpreted as plain text. This field also appears to be using raw data supplied by the database.
The message body also includes the </br>, which is pointless, since your message does not include any MIME markup to indicate the presence of text/html content.