Post by straightlight » Tue Feb 20, 2018 1:53 am

Packages updated for v2.x and v3.x releases. Feel free to lookup the XML file to match your files and folders (more the folders in this case).

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by jacky96136 » Tue Feb 20, 2018 4:28 pm

straightlight wrote:
Sat Feb 10, 2018 6:42 am
Could you elaborate that a little? What do you mean by malfunctioning and what is the result of the form disappearing? More information is needed.
Once I put in the xml in vqmod, the login username and password field disappeared, I can't key in my username and password to login. And the order history all disappeared in my backend. Once I removed the xml file from vqmod, everything back to normal.

Newbie

Posts

Joined
Wed Mar 13, 2013 12:01 am

Post by straightlight » Tue Feb 20, 2018 5:59 pm

jacky96136 wrote:
Tue Feb 20, 2018 4:28 pm
straightlight wrote:
Sat Feb 10, 2018 6:42 am
Could you elaborate that a little? What do you mean by malfunctioning and what is the result of the form disappearing? More information is needed.
Once I put in the xml in vqmod, the login username and password field disappeared, I can't key in my username and password to login. And the order history all disappeared in my backend. Once I removed the xml file from vqmod, everything back to normal.
I don't understand why posting such limited information is so important for posters. I mean, what am I supposed to do with this info?

- No OC version posted
- No route location posted
- No screenshots from the admin about the location you are posting about
- No URL posted for the store-front end to be posted

More information is needed!

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by huubert2 » Wed Feb 21, 2018 7:27 pm

After the last update unfortunately still no luck on my OC 2.1.0.2 installation. I tried changing twig to tpl myself as suggested and later overwrote both files after the update.

The situation is the same as last week:
* Everything works as expected in admin.
* Can't see any effect on the frontend. Page source does not show any changes to forms.
* No errors in vqmanager and OC error log.

Is there some other kind of information I can provide to help you check it?

Newbie

Posts

Joined
Sat Feb 17, 2018 9:52 pm

Post by k2tec » Wed Feb 21, 2018 11:09 pm

I am using OC version 2.1
The only file the vqmod change is the admin/controller/common/header.php
But no luck on the other files.
It have to change this line

Code: Select all

<form action="<?php echo $action; ?>" method="post" enctype="multipart/form-data" class="form-horizontal">
but that is not working. I think there is something wrong with this expression

Code: Select all

~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i
No errors in the error log or vqmod log

User avatar
Active Member

Posts

Joined
Mon Apr 12, 2010 8:06 pm

Post by straightlight » Thu Feb 22, 2018 6:26 am

no luck
not working
I think there is something wrong with this expression
What does give you the impression that something is wrong with the regular expression with such limited information on the above?

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by pair » Thu Feb 22, 2018 2:15 pm

Hello straightlight! I'm using Ver. 2.0.3.1 I have downloaded your most recent version updated a couple of days ago but like other have stated here, I'm having the same issues they do.
The admin side seems to be working correctly as shown below
<form action="https://www.MYSITE.com/admin/index.php? ... mmon/login" method="post" enctype="multipart/form-data"><input type="hidden" name="__csrf" value="XXXXXXXXXXXXXXXXXXXXXXX">
However on the front end there is no change. Example of affiliate where I keep getting lots of bogus sign ups
<form action="https://www.MYSITE.com/index.php?route=affiliate/login" method="post" enctype="multipart/form-data">
I have VQMod Manager installed but the error log is clean. Is there anything else we should do to get this working.
This is a great extension that will help many OC user, I really hope you can help us solve this issue. Please let me know if you need any additional details that may help pinpoint the cause.
Regards,

Newbie

Posts

Joined
Tue Nov 27, 2012 11:21 am

Post by k2tec » Thu Feb 22, 2018 3:54 pm

Hi Straightlight,
normally you see the changed lines in the vqmodcache.

Code: Select all

<file name="catalog/view/theme/default/template/account/*.tpl" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
But I don't see any changes in the vqmodcache when I am testing the register or edit.tpl.
The above code have to change the catalog/view/theme/default/template/account/register.tpl

Code: Select all

<form action="<?php echo $action; ?>" method="post" enctype="multipart/form-data" class="form-horizontal">
But my knowledge about expressions is not present.

User avatar
Active Member

Posts

Joined
Mon Apr 12, 2010 8:06 pm

Post by straightlight » Thu Feb 22, 2018 6:46 pm

No complete OC version posted, partial OC decimals posted. The issue is not with the regular expression since it is working perfectly on my end.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by k2tec » Thu Feb 22, 2018 7:04 pm

Hi Straightlight
OC version 2.0.1.1
The only file that is change by the vqmod is admin/controller/common/header.php
The other files are not changed and I am not the only one with this problem. Pair is facing the same issue.
Sorry for my bad English, but I hope you understand it.

User avatar
Active Member

Posts

Joined
Mon Apr 12, 2010 8:06 pm

Post by huubert2 » Thu Feb 22, 2018 7:07 pm

k2tec wrote:
Thu Feb 22, 2018 7:04 pm
Hi Straightlight
OC version 2.0.1.1
The only file that is change by the vqmod is admin/controller/common/header.php
The other files are not changed and I am not the only one with this problem. Pair is facing the same issue.
Sorry for my bad English, but I hope you understand it.
Same problem for me as well.

Newbie

Posts

Joined
Sat Feb 17, 2018 9:52 pm

Post by straightlight » Fri Feb 23, 2018 6:21 am

Both replies above are about the admin-end. Is the store-front end working normally with the POST methods from the view source?

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Fri Feb 23, 2018 6:56 am

Ok, I just installed the CSRF Protection Form extension for a client using OC v2.x releases and it seem to require a minor change in the csrf.xml file.

From:

Code: Select all

<file name="catalog/view/theme/*/template/account/*.tpl" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
Until (inclusively):

Code: Select all

<file name="catalog/view/theme/*/template/product/*.tpl" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
remove it all

replace with:

Code: Select all

<file name="catalog/controller/common/header.php" error="skip">
        <operation error="skip">
            <search position="before"><![CDATA[$data['scripts']]]></search>
            <add><![CDATA[
			$this->load->helper('csrf_helper');
			
			csrf_start();
			]]></add>
        </operation>
	</file>
Check your VQMod Manager for any conflicts from csrf.xml file. If not, on your browser, refresh the page from the store front-end and see if the CSRF keys appears afterwards.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by huubert2 » Fri Feb 23, 2018 7:20 am

CSRF key does still not appear in the frontend after the change unfortunately:

Code: Select all

 <form action="https://www.mysite.com/index.php?route=account/register" method="post" enctype="multipart/form-data" class="form-horizontal">
         <fieldset id="account">
Nothing in vqmanager or error log.

Newbie

Posts

Joined
Sat Feb 17, 2018 9:52 pm

Post by straightlight » Fri Feb 23, 2018 9:30 am

huubert2 wrote:
Fri Feb 23, 2018 7:20 am
CSRF key does still not appear in the frontend after the change unfortunately:

Code: Select all

 <form action="https://www.mysite.com/index.php?route=account/register" method="post" enctype="multipart/form-data" class="form-horizontal">
         <fieldset id="account">
Nothing in vqmanager or error log.
No OC version posted as you mentioned on the above that you have the exact issue as another user encounters.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by pair » Fri Feb 23, 2018 12:31 pm

Straightlight. Ver 2.0.3.1 (just in case) I have changed the xml as you last stated but to no avail. This is what I currently have in the xml.

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<modification>
    <id>CSRF Form Protection</id>
    <version>v2.x and v3.x</version>
    <vqmver required="true">2.6.0</vqmver>
    <author>Straightlight</author>
	
	<file name="admin/controller/common/header.php" error="skip">
        <operation error="skip">
            <search position="before"><![CDATA[$data['scripts']]]></search>
            <add><![CDATA[
			$this->load->helper('csrf_helper');
			
			csrf_start();
			]]></add>
        </operation>
	</file>
	
	<file name="catalog/controller/common/header.php" error="skip">
        <operation error="skip">
            <search position="before"><![CDATA[$data['scripts']]]></search>
            <add><![CDATA[
			$this->load->helper('csrf_helper');
			
			csrf_start();
			]]></add>
        </operation>
	</file>

</modification>
The issue still persist. No errors are present in the VQManager either.
I have installed your mod in two different sites I have with same version 2.0.3.1 Both sites have different mods installed which should help narrow down if there was a mod interfering with yours.
On one site, it shows the vq2-catalog_controller_common_header.php on the other it does not show up.
On the one that does, it shows this

Code: Select all

$data['styles'] = $this->document->getStyles();

			$this->load->helper('csrf_helper');
			
			csrf_start();
			
		$data['scripts'] = $this->document->getScripts();
But regardless if it shows there, still does not work in the front end. I have cleared the cache refreshed the mods etc but still nothing.
Will it be possible that maybe something else needs to be changed in the system/helper/csrf_helper.php ?
This is what mine has just in case you can see that something may need change...

Code: Select all

<?php

// Initialize CSRF protection configuration
$csrf_protection_expires     = 7200;

function csrf_start($use_show_error = false) {
	csrf_check($use_show_error);
    csrf_rewrite();
}

function csrf_rewrite() {
    csrf_token();
    ob_start('csrf_ob_handler');
}

function csrf_ob_handler($buffer, $flags) {
    $buffer = preg_replace('#(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . csrf_form_input(), $buffer);

    return $buffer;
}

function csrf_form_input() {
    $token = csrf_token();
	
    return "<input type=\"hidden\" name=\"__csrf\" value=\"$token\">\n";
}

function csrf_token() {
    static $token;

    if (!$token) {
        $token = sha1(uniqid(mt_rand(), true));
		
        $session = &$_SESSION['__csrf'];
		
        if (!is_array($session)) {
            $session = array();
        }
		
        $session[$token] = time();
		
       $_SESSION['__csrf'] = $session;
    }

    return $token;
}

function csrf_check($use_show_error = false) {
    global $csrf_protection_expires;
	
	if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
        return;
    }

    if (isset($_POST['__csrf'])) {
        $session = &$_SESSION['__csrf'];

        if (!is_array($session)) {
            return false;
        }

        $found = false;

        foreach ($session as $token => $time) {
            if (!secure_compare($token, (string)$_POST['__csrf'])) {
                continue;
            }

            if ($csrf_protection_expires) {
                if (time() <= $time + $csrf_protection_expires) {
                    $found = true;
                } else {
                    unset($session[$token]);
                }
            } else {
                $found = true;
            }

            break;
        }

        $_SESSION['__csrf'] = $session;

        if ($found) {
			return;
        }
    }
}

function secure_compare($a, $b) {
    if (strlen($a) !== strlen($b)) {
		return false;
	}
  
	$result = 0;
  
	for ($i = 0; $i < strlen($a); $i++) {
		$result |= ord($a[$i]) ^ ord($b[$i]);
	}
  
	return $result == 0;
}
Has anyone been able to get this working on ver 2 and if so, what was done to get it working?
Any advice is greatly appreciated!
Regards,

Newbie

Posts

Joined
Tue Nov 27, 2012 11:21 am

Post by k2tec » Fri Feb 23, 2018 3:27 pm

Thanks Straightlight,
This one made the changes. I get the vqmodcache file vq2-catalog_controller_common_header.php
Also the source coed of the site is okay
<form action="https://mysite.com/index.php?route=account/register" method="post" enctype="multipart/form-data" class="form-horizontal"><input type="hidden" name="__csrf" value="a69dcc519b188c511ca332ae83395f50d67d44ad">

User avatar
Active Member

Posts

Joined
Mon Apr 12, 2010 8:06 pm

Post by straightlight » Fri Feb 23, 2018 8:11 pm

k2tec wrote:
Fri Feb 23, 2018 3:27 pm
Thanks Straightlight,
This one made the changes. I get the vqmodcache file vq2-catalog_controller_common_header.php
Also the source coed of the site is okay
<form action="https://mysite.com/index.php?route=account/register" method="post" enctype="multipart/form-data" class="form-horizontal"><input type="hidden" name="__csrf" value="a69dcc519b188c511ca332ae83395f50d67d44ad">
Outstanding. Please keep monitoring the spamming activities on your site noticing if they keep increasing.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by pair » Sun Feb 25, 2018 6:03 am

@k2tec Could you share what you did to get the mod working for your site?
Thanks

Newbie

Posts

Joined
Tue Nov 27, 2012 11:21 am

Post by straightlight » Sun Feb 25, 2018 6:17 am

pair wrote:
Sun Feb 25, 2018 6:03 am
@k2tec Could you share what you did to get the mod working for your site?
Thanks
On this extension, I am the one providing support for it. What seem to be the issue?

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Who is online

Users browsing this forum: No registered users and 15 guests