Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Once I put in the xml in vqmod, the login username and password field disappeared, I can't key in my username and password to login. And the order history all disappeared in my backend. Once I removed the xml file from vqmod, everything back to normal.straightlight wrote: ↑Sat Feb 10, 2018 6:42 amCould you elaborate that a little? What do you mean by malfunctioning and what is the result of the form disappearing? More information is needed.
I don't understand why posting such limited information is so important for posters. I mean, what am I supposed to do with this info?jacky96136 wrote: ↑Tue Feb 20, 2018 4:28 pmOnce I put in the xml in vqmod, the login username and password field disappeared, I can't key in my username and password to login. And the order history all disappeared in my backend. Once I removed the xml file from vqmod, everything back to normal.straightlight wrote: ↑Sat Feb 10, 2018 6:42 amCould you elaborate that a little? What do you mean by malfunctioning and what is the result of the form disappearing? More information is needed.
- No OC version posted
- No route location posted
- No screenshots from the admin about the location you are posting about
- No URL posted for the store-front end to be posted
More information is needed!
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
The situation is the same as last week:
* Everything works as expected in admin.
* Can't see any effect on the frontend. Page source does not show any changes to forms.
* No errors in vqmanager and OC error log.
Is there some other kind of information I can provide to help you check it?
The only file the vqmod change is the admin/controller/common/header.php
But no luck on the other files.
It have to change this line
Code: Select all
<form action="<?php echo $action; ?>" method="post" enctype="multipart/form-data" class="form-horizontal">
Code: Select all
~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i
no luck
not working
What does give you the impression that something is wrong with the regular expression with such limited information on the above?I think there is something wrong with this expression
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
The admin side seems to be working correctly as shown below
<form action="https://www.MYSITE.com/admin/index.php? ... mmon/login" method="post" enctype="multipart/form-data"><input type="hidden" name="__csrf" value="XXXXXXXXXXXXXXXXXXXXXXX">
However on the front end there is no change. Example of affiliate where I keep getting lots of bogus sign ups
<form action="https://www.MYSITE.com/index.php?route=affiliate/login" method="post" enctype="multipart/form-data">
I have VQMod Manager installed but the error log is clean. Is there anything else we should do to get this working.
This is a great extension that will help many OC user, I really hope you can help us solve this issue. Please let me know if you need any additional details that may help pinpoint the cause.
Regards,
normally you see the changed lines in the vqmodcache.
Code: Select all
<file name="catalog/view/theme/default/template/account/*.tpl" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
The above code have to change the catalog/view/theme/default/template/account/register.tpl
Code: Select all
<form action="<?php echo $action; ?>" method="post" enctype="multipart/form-data" class="form-horizontal">
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
OC version 2.0.1.1
The only file that is change by the vqmod is admin/controller/common/header.php
The other files are not changed and I am not the only one with this problem. Pair is facing the same issue.
Sorry for my bad English, but I hope you understand it.
Same problem for me as well.k2tec wrote: ↑Thu Feb 22, 2018 7:04 pmHi Straightlight
OC version 2.0.1.1
The only file that is change by the vqmod is admin/controller/common/header.php
The other files are not changed and I am not the only one with this problem. Pair is facing the same issue.
Sorry for my bad English, but I hope you understand it.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
From:
Code: Select all
<file name="catalog/view/theme/*/template/account/*.tpl" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
Code: Select all
<file name="catalog/view/theme/*/template/product/*.tpl" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
replace with:
Code: Select all
<file name="catalog/controller/common/header.php" error="skip">
<operation error="skip">
<search position="before"><![CDATA[$data['scripts']]]></search>
<add><![CDATA[
$this->load->helper('csrf_helper');
csrf_start();
]]></add>
</operation>
</file>
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Code: Select all
<form action="https://www.mysite.com/index.php?route=account/register" method="post" enctype="multipart/form-data" class="form-horizontal">
<fieldset id="account">
No OC version posted as you mentioned on the above that you have the exact issue as another user encounters.huubert2 wrote: ↑Fri Feb 23, 2018 7:20 amCSRF key does still not appear in the frontend after the change unfortunately:Nothing in vqmanager or error log.Code: Select all
<form action="https://www.mysite.com/index.php?route=account/register" method="post" enctype="multipart/form-data" class="form-horizontal"> <fieldset id="account">
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<modification>
<id>CSRF Form Protection</id>
<version>v2.x and v3.x</version>
<vqmver required="true">2.6.0</vqmver>
<author>Straightlight</author>
<file name="admin/controller/common/header.php" error="skip">
<operation error="skip">
<search position="before"><![CDATA[$data['scripts']]]></search>
<add><![CDATA[
$this->load->helper('csrf_helper');
csrf_start();
]]></add>
</operation>
</file>
<file name="catalog/controller/common/header.php" error="skip">
<operation error="skip">
<search position="before"><![CDATA[$data['scripts']]]></search>
<add><![CDATA[
$this->load->helper('csrf_helper');
csrf_start();
]]></add>
</operation>
</file>
</modification>
I have installed your mod in two different sites I have with same version 2.0.3.1 Both sites have different mods installed which should help narrow down if there was a mod interfering with yours.
On one site, it shows the vq2-catalog_controller_common_header.php on the other it does not show up.
On the one that does, it shows this
Code: Select all
$data['styles'] = $this->document->getStyles();
$this->load->helper('csrf_helper');
csrf_start();
$data['scripts'] = $this->document->getScripts();
Will it be possible that maybe something else needs to be changed in the system/helper/csrf_helper.php ?
This is what mine has just in case you can see that something may need change...
Code: Select all
<?php
// Initialize CSRF protection configuration
$csrf_protection_expires = 7200;
function csrf_start($use_show_error = false) {
csrf_check($use_show_error);
csrf_rewrite();
}
function csrf_rewrite() {
csrf_token();
ob_start('csrf_ob_handler');
}
function csrf_ob_handler($buffer, $flags) {
$buffer = preg_replace('#(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . csrf_form_input(), $buffer);
return $buffer;
}
function csrf_form_input() {
$token = csrf_token();
return "<input type=\"hidden\" name=\"__csrf\" value=\"$token\">\n";
}
function csrf_token() {
static $token;
if (!$token) {
$token = sha1(uniqid(mt_rand(), true));
$session = &$_SESSION['__csrf'];
if (!is_array($session)) {
$session = array();
}
$session[$token] = time();
$_SESSION['__csrf'] = $session;
}
return $token;
}
function csrf_check($use_show_error = false) {
global $csrf_protection_expires;
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
return;
}
if (isset($_POST['__csrf'])) {
$session = &$_SESSION['__csrf'];
if (!is_array($session)) {
return false;
}
$found = false;
foreach ($session as $token => $time) {
if (!secure_compare($token, (string)$_POST['__csrf'])) {
continue;
}
if ($csrf_protection_expires) {
if (time() <= $time + $csrf_protection_expires) {
$found = true;
} else {
unset($session[$token]);
}
} else {
$found = true;
}
break;
}
$_SESSION['__csrf'] = $session;
if ($found) {
return;
}
}
}
function secure_compare($a, $b) {
if (strlen($a) !== strlen($b)) {
return false;
}
$result = 0;
for ($i = 0; $i < strlen($a); $i++) {
$result |= ord($a[$i]) ^ ord($b[$i]);
}
return $result == 0;
}
Any advice is greatly appreciated!
Regards,
This one made the changes. I get the vqmodcache file vq2-catalog_controller_common_header.php
Also the source coed of the site is okay
<form action="https://mysite.com/index.php?route=account/register" method="post" enctype="multipart/form-data" class="form-horizontal"><input type="hidden" name="__csrf" value="a69dcc519b188c511ca332ae83395f50d67d44ad">
Outstanding. Please keep monitoring the spamming activities on your site noticing if they keep increasing.k2tec wrote: ↑Fri Feb 23, 2018 3:27 pmThanks Straightlight,
This one made the changes. I get the vqmodcache file vq2-catalog_controller_common_header.php
Also the source coed of the site is okay<form action="https://mysite.com/index.php?route=account/register" method="post" enctype="multipart/form-data" class="form-horizontal"><input type="hidden" name="__csrf" value="a69dcc519b188c511ca332ae83395f50d67d44ad">
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
On this extension, I am the one providing support for it. What seem to be the issue?
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Users browsing this forum: No registered users and 145 guests