Dirty Butter Posted November 19, 2016 Share Posted November 19, 2016 How can I figure out where this is coming from? I've tried clicking around to see if I could cause it, but no luck. Quote [19-Nov-2016 17:15:35 UTC] PHP Warning: Security Warning: Illegal array key "$Path" was detected and was removed. in /XXX/plushcatalog/classes/sanitize.class.php on line 72 [19-Nov-2016 17:15:35 UTC] PHP Warning: Security Warning: Illegal array key "$Domain" was detected and was removed. in /XXXplushcatalog/classes/sanitize.class.php on line 72 [19-Nov-2016 17:15:35 UTC] PHP Warning: Security Warning: Illegal array key "$Path" was detected and was removed. in /XXX/plushcatalog/classes/sanitize.class.php on line 72 [19-Nov-2016 17:15:35 UTC] PHP Warning: Security Warning: Illegal array key "$Domain" was detected and was removed. in /XXXplushcatalog/classes/sanitize.class.php on line 72 Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 19, 2016 Share Posted November 19, 2016 We would need to add some diagnostic code to the Sanitize class to log what the URL is that is triggering this. That diagnostic code would show what major array is getting scanned where this is found: GET (the querystring of the URL), POST (form submissions), or COOKIE. But, you have the timestamp, and it is most likely that you should be able to look at the hosted account's web access logs. Match up the time (note any timezone differences) and you should see previous page requests by the same IP address. From the history of page requests by that IP address, we may be able to figure out what page, if any, is adding "$Path" to what gets included in the page request. Quote Link to comment Share on other sites More sharing options...
Dirty Butter Posted November 19, 2016 Author Share Posted November 19, 2016 This is the access log entry that matches the error log entry: Quote 54.236.1.11 - - [19/Nov/2016:17:15:35 +0000] "GET /plushcatalog/index.php?seo_path=eden-rosebud-blond-doll-dress-bonnet-white-brim HTTP/1.1" 200 93779 "-" "Pinterest/0.2 (+http://www.pinterest.com/)" I found a more recent one that also had this same GET with the seo_path= from pinterest.com I cleared the error log and refreshed the odd url with the seo_path styling - and I did NOT get an error message. That doesn't help me - hopefully it tells you something. Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 19, 2016 Share Posted November 19, 2016 Two things: '$Path' is therefore in POST or COOKIE, and no one should actually have been given the seo_path=whatever querystring. But I do not know anything about Pinterest or how CubeCart interfaces with it. Quote Link to comment Share on other sites More sharing options...
Dirty Butter Posted November 19, 2016 Author Share Posted November 19, 2016 The AddThis Plugin has a pinterest_share choice on the Product Listing that Customers use. I just used the AddThis button to add a product to our Pinterest page, but the url is correctly formed. And I use SFWS Automatic Social Media Posts, but that is used manually on the backend, so I know nothing is showing up in the error log when I use that. Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 19, 2016 Share Posted November 19, 2016 For the future, if you want to know the actual thing that is triggering the Sanitize Warning, make these edits: /classes/sanitize.class.php, near lines 51-54 (CC611): From: self::_clean($_GET); self::_clean($_POST); self::_clean($_COOKIE); self::_clean($_REQUEST); To: self::_clean($_GET,'GET'); self::_clean($_POST,'POST'); self::_clean($_COOKIE,'COOKIE'); self::_clean($_REQUEST,'REQUEST'); Near line 64: From: private static function _clean(&$data) { To: private static function _clean(&$data, $global='') { Near line 72: From: trigger_error('Security Warning: Illegal array key "'.htmlentities($key).'" was detected and was removed.', E_USER_WARNING); To: trigger_error('Security Warning: Illegal array key in '.$global.'["'.htmlentities($key).'"] was detected and was removed.', E_USER_WARNING); Quote Link to comment Share on other sites More sharing options...
Dirty Butter Posted November 19, 2016 Author Share Posted November 19, 2016 Quote [19-Nov-2016 20:04:50 UTC] PHP Warning: Security Warning: Illegal array key in COOKIE["$Path"] was detected and was removed. in /public_html/plushcatalog/classes/sanitize.class.php on line 87 [19-Nov-2016 20:04:50 UTC] PHP Warning: Security Warning: Illegal array key in COOKIE["$Domain"] was detected and was removed. in /plushcatalog/classes/sanitize.class.php on line 87 [19-Nov-2016 20:04:50 UTC] PHP Warning: Security Warning: Illegal array key in REQUEST["$Path"] was detected and was removed. in /plushcatalog/classes/sanitize.class.php on line 87 [19-Nov-2016 20:04:50 UTC] PHP Warning: Security Warning: Illegal array key in REQUEST["$Domain"] was detected and was removed. in /plushcatalog/classes/sanitize.class.php on line 87 Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 19, 2016 Share Posted November 19, 2016 REQUEST includes COOKIE, so we can ignore REQUEST. So, the strings "$Path" and "$Domain" seem to relate to the cookie that CubeCart delivers. That code is in /classes/session.class.php. Run a file compare of your copy against a fresh copy from the latest download. Quote Link to comment Share on other sites More sharing options...
Dirty Butter Posted November 19, 2016 Author Share Posted November 19, 2016 They were identical. I've had this warning for some time, but thought surely I would eventually spot what I was doing that caused it. What does CC do to actually create the naming of a store's cookies? I have one now that I know I didn't have when I originally created my Privacy Policy document. I have changed the naming of admin twice since then, if that has anything to do with it. Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 20, 2016 Share Posted November 20, 2016 In session.class.php, near line 95, CubeCart uses a few PHP functions to set session variables: 'session.cookie_domain' and 'session.cookie_path'. These values come from store settings, either those that CubeCart figured out, or manually set in /includes/global.inc.php. What's interesting is that the string $Path looks very much like a PHP variable $Path. The difference is in how they are used in strings and how that string is quoted. "This string uses $Path." <- Double quotes, with expansion. 'This string uses $Path.' <- Single quotes, no expansion. When CubeCart expands a string, anything with a $ in front is exchanged for the contents of that variable. So, the resultant display of that string would be: This string uses /store/. If the intent was to expand $Path to show its value, but single quotes was used to quote the string, then the resultant display of that string would be as you see it. So, I think somewhere some piece of code is wanting to expand $Path and $Domain but erroneously used single quotes on the string. Plus the fact that PHP variables are case-sensitive. I scanned a CC611 package (except for /includes/lib/) and did not find $Path. So that tells me either the fault is in code not shipped with CC611, or whoever is getting this cookie (Pinterest?) is mangling it on their end. What does the access log say for the latest error logging? We can add diagnostic statements to CubeCart to show us the cookie that will be sent. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.