Announcement

Collapse
No announcement yet.

$styleid missing ?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • $styleid missing ?

    Hello, I'm experience a weird issue where $styleid gets unset inside of core/sprite.php

    PHP Code:
    $styleid = (int) $_REQUEST['styleid'];

    $ltr = ($_REQUEST['td'] !== 'rtl');

    // ######################### REQUIRE BACK-END ############################

    //always process this script as guest

    require_once(dirname(__FILE__) . '/vb/vb.php');

    vB::init();

    echo 
    'Before setRequest: ' $styleid "\n";

    vB::setRequest(new vB_Request_Web());

    echo 
    'After setRequest: ' $styleid "\n"


    This is producing the output shown in the attachment. Does anyone know why $styleid would be getting unset?



    Click image for larger version  Name:	Screen Shot 2020-07-29 at 2.26.23 PM.png Views:	0 Size:	44.5 KB ID:	4444722

    Thanks in advance.
    Attached Files

  • #2
    Does your server meet the minimum server requirements? https://forum.vbulletin.com/node/4387853

    Subsequent versions of PHP have been making variable definitions more secure and consequential. What are the answers to the questions in this topic: https://forum.vbulletin.com/node/4005558



    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API - Full / Mobile
    Vote for your favorite feature requests and the bugs you want to see fixed.

    Comment


    • southstar86
      southstar86 commented
      Editing a comment
      It's running on nginx / fast cgi php-fpm

      PHP: 7.4.8
      MySQL: 5.7.30-log

  • #3
    I've tracked it down to the unset happening here in cleaner.php
    PHP Code:
    unset($GLOBALS["$varname"]); 
    PHP Code:
    //I'm not sure we need this any more. It's intended to prevent an exploit where global
    //variables are registerd via register globals and overwriting variables that are not expected
    //to be "user set" data.
    if (@ini_get('register_globals') OR [email protected]ini_get('gpc_order'))
    {
    foreach (
    $this->superglobalLookup AS $arrayname)
    {
    if (!empty(
    $GLOBALS["$arrayname"]))
    {
    foreach (
    array_keys($GLOBALS["$arrayname"]) AS $varname)
    {
    if (!
    in_array($varname$this->superglobalLookup))
    {
    //the argv and argc globals are also in the _SERVER array. This is
    //normal and should not result in the the global script params getting nuked.
    if(!($arrayname == '_SERVER' AND in_array($varname, array('argv''argc'))))
    {
    unset(
    $GLOBALS["$varname"]);
    }
    }
    }
    }
    }

    Comment


    • #4
      Something similar is happening when I try to use the API. Somehow
      PHP Code:
      $vbApiParamsToVerify 
      is also coming up null, causing the api signatures to not match.

      Comment


      • #5
        How are you calling sprite.php?

        How are you trying to use the API? You cannot use the API with Get Requests.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API - Full / Mobile
        Vote for your favorite feature requests and the bugs you want to see fixed.

        Comment


        • #6
          Everything works correctly for both sprite.php and the API on my local dev environment, running PHP 7.4.1, but isn't woking on my staging environment which is PHP 7.4.8. I don't think that would be related, but it's worth mentioning.

          sprite.php is just being called in the default templates css. I noticed it wasn't working because the speech bubbles next to the forum names were not appearing. Somehow $styleid is being unset during the vB::setRequest(new vB_Request_Web()) call in sprite.php.

          For the API, I am using it from my main website in the navigation, so users can log in to the forums from anywhere. The initial GET request to the init endpoint in working correctly. When attempting a POST request to user.login2, somehow $vbApiParamsToVerify is null. I've attempted to debug this by outputting the following inside core/vb/session/api.php after 119.

          PHP Code:
          throw new vB_Exception_Api(
              
          'invalid_api_signature',
              [
                  
          "API_QUERY" => http_build_query($vbApiParamsToVerify'''&'),
                  
          "API_S: " => $vBApiRequests['api_s'],
                  
          "API_CLIENT_ID: " => $client['apiclientid'],
                  
          "API_SECRET: " => $client['secret'],
                  
          "API_KEY: " => $options['apikey'],
                  
          "EXPECTED" => $signtoverify,
                  
          "RECEIVED" => $vBApiRequests['api_sig'],
                  
          "EQUAL?" => $signtoverify === $vBApiRequests['api_sig'],
              ]
          ); 
          All of the resulting values were correct, except for API_QUERY, which came back as `boolean false`, causing the expected and received signature. to differ.

          At this point my best guess is that something is happening with $_GLOBALS or global vars, or an `unset` call somewhere.

          Thanks in advance for your help.

          Comment


          • #7
            All $_GLOBALS are actually unset. We don't actually use them after setting the proper variables in vBulletin.

            It could be a bug/change in 7.4.8 or your server configuration. We may be able to work around an issue introduced in a new PHP version. If you set the staging server to use the same PHP configuration as your live server, does it work?
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API - Full / Mobile
            Vote for your favorite feature requests and the bugs you want to see fixed.

            Comment


            • southstar86
              southstar86 commented
              Editing a comment
              Note sure if this is related, but I found some things in the error logs:

              WARNING: [pool www] child 156 said into stderr: "NOTICE: PHP message: PHP Warning: http_build_query() expects parameter 1 to be array, null given in /usr/share/nginx/html/main/public/forums/core/vb/session/api.php on line 119"

              WARNING: [pool www] child 156 said into stderr: "NOTICE: PHP message: PHP Warning: Use of undefined constant VB4_MAPI_METHOD - assumed 'VB4_MAPI_METHOD' (this will throw an Error in a future version of PHP) in /usr/share/nginx/html/main/public/forums/core/api.php on line 189"

              WARNING: [pool www] child 156 said into stderr: "NOTICE: PHP message: PHP Warning: Use of undefined constant WOLPATH - assumed 'WOLPATH' (this will throw an Error in a future version of PHP) in /usr/share/nginx/html/main/public/forums/core/vb/session.php on line 515"

          • #8
            If I un-comment the following block in forums/core/api.php the issue also gets resolved

            PHP Code:
            // $VB_API_PARAMS_TO_VERIFY is set in class_core.php's
            // vB_Input_Cleaner::__construct(), due to convert_short_vars()
            // causing API signature error (page => pagenumber)
            // In vB4, the API sig was verified *before* input cleaning.
            /*
            unset($_GET['']); // See VBM-835
            $VB_API_PARAMS_TO_VERIFY = $_GET;

            unset(
            $VB_API_PARAMS_TO_VERIFY['api_c'],
            $VB_API_PARAMS_TO_VERIFY['api_v'],
            $VB_API_PARAMS_TO_VERIFY['api_s'],
            $VB_API_PARAMS_TO_VERIFY['api_sig'],
            $VB_API_PARAMS_TO_VERIFY['debug'],
            $VB_API_PARAMS_TO_VERIFY['showall'],
            $VB_API_PARAMS_TO_VERIFY['do'],
            $VB_API_PARAMS_TO_VERIFY['r']
            );

            ksort($VB_API_PARAMS_TO_VERIFY);
            */ 

            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...
            X