A Bug Perhaps or Perhaps Not

[aln_cms]

Hi,

I've come across what may be a bug.. I'm up the walls at the moment so I'm putting it up here for your good selves to decide.  I've been using ajax on the admin side, I modified header.php to ease this a little. Anyhow, in my module, I have a function/action called addevent;within this I want to use a little ajax call.

My ajax URI variable string looks like so:

Code: Select all

var xajaxRequestUri="http://mchaleml.localdomain/admin/moduleinterface.php?mact=McHEvents,m1_,addevent,0&_s_=a349e55b&hl=en_US";

and herein lies the problem, if I make an ajax call with this, check_login() sees tye $_GET array as

Array ( [mact] => McHEvents,m1_,addevent,0 [amp;_s_] => a349e55b [amp;hl] => en_US )

So I am redirected to login because the secure param exist.


As I'm under some pressure (moreso after a day with firebug), I have simply changed line 776 in lib/xajax/xajax.inc.php

from

Code: Select all

$html .= "var xajaxRequestUri=\"".str_replace('&', '&', $this->sRequestURI)."\";\n";

to

Code: Select all

$html .= "var xajaxRequestUri=\"$this->sRequestURI\"\n";

for the moment and all is good for me.

(the str_replace seems like a 'peculiar' place/means of carrying out this task).

Alan

[jmcgin51]

Without knowing anything about your CMSMS version, etc, it will be impossible for anyone to help.
http://forum.cmsmadesimple.org/index.ph ... 132.0.html


Also, since you modified the core source code, you might want to read this:
http://forum.cmsmadesimple.org/index.ph ... 132.0.html

[aln_cms]

hi jmcgin,

I'm not asking for help.  I have solved the problem for me.  I if you read the post again more carefully, you will see the bug will exists irrespective of my modifications.

Alan

CMS 1.5.2 MLE, on linux.

[alby]

I'm not asking for help.  I have solved the problem for me.  I if you read the post again more carefully, you will see the bug will exists irrespective of my modifications.

Try to match your sintax in module with admin/listcontent.php, here there are many links with xajax call

Alby

[aln_cms]

Hi Alby,

I  have looked at this and I think the reason it doesn't happen here is because the '_s_' (CMS_SECURE_PARAM) is always the first querystring parameter appended to the URL e.g.

http://mchaleml.localdomain/admin/listc ... _=a349e55b

which means that the string replace function mentioned above (which replaces ampersands)  isn't executed on this parameter. 

Alan

[aln_cms]

As an example,  if you put this code into a stock 1.5.2 (not MLE, no modifications)

Code: Select all

echo '<a href="listcontent.php?x=1&'.CMS_SECURE_PARAM_NAME .'='. $_SESSION[CMS_USER_KEY].'">Test</a>';
return;

if you follow this link and then try to set a page inactive you should see what I was seeing

Alan


It's the same

Code: Select all

echo '<a href="listcontent.php?x=1&'.CMS_SECURE_PARAM_NAME .'='. $_SESSION[CMS_USER_KEY].'">Test</a>';
return;