Gm 1.7.2 Newlines break comments sometimes

coldstone
Global Moderator

Posts: 816

Gm 1.7.2 Newlines break comments sometimes May 24, 2007 11:09:29 GMT -5

Quote

Post by coldstone on May 24, 2007 11:09:29 GMT -5

Versions Affected: GreyMatter 1.7.2 and 1.7.2.3
Severity: Moderate (reduces comment functionality, workaround stops spam filtering)
Issue Description: When a comment is previewed or commenter verification is turned on, a newline in comment will trigger a security alert. This is because of the way newlines are encoded by Gm, it uses '|*|' to signify a newline.

Resolution: There is a code fix for this issue. Change line 310 of Gm_Web from:
unless( $name =~ m/^edited/i || $name =~ m/template$/i || $name =~ m/^newentry/i ){
To:

if( $name =~ m/^edited/i || $name =~ m/template$/i || $name =~ m/^newentry/i ){		
  ## do nothing for now
  } elsif( $name =~ m/^newcommentbody/i ){
    if( Gm_Utils::hackWebTest( $name ) || Gm_Utils::hackWebTest( $value ) ){
    &$errHandler('We don\'t take kindly to that sort of activity here. '.
      'Your attempt to break the script has been logged and the administrators have '.
      'been notified. <br>');
  }
} else {

This issue will be fixed for 1.7.3.

Updated 5/28 per jesper's notes.

Last Edit: May 28, 2007 15:51:26 GMT -5 by coldstone

jesper
New Member

Posts: 35

Gm 1.7.2 Newlines break comments sometimes May 25, 2007 5:28:52 GMT -5

Quote

Post by jesper on May 25, 2007 5:28:52 GMT -5

This didnt work out for me because line 432 in my file (v1.7.2.3) read:

cat -n Gm_Web.pm|grep 432
   432          ## gm_generatecalendar which enters into a loop that depends on

The closest thing i found was at line 308:

unless( $name =~ m/^edited/i || $name =~ m/template$/i ){

But after changing the code here i got:

Undefined subroutine &Gm_Security::hackWebTest called at libs/Gm_Web.pm line 311.

I got around this by changing the the line in your fix from:

if( Gm_Security::hackWebTest( $name ) || Gm_Security::hackWebTest( $value ) ){

to:

if( Gm_Utils::hackWebTest( $name ) || Gm_Utils::hackWebTest( $value ) ){

And now it seems to work, but since i have no idea what i have just done with the code, i would not recommend anyone to use my solution until the authors have given their respons to this.

Carlos Phelps
Global Moderator

Posts: 177

Gm 1.7.2 Newlines break comments sometimes May 25, 2007 9:13:26 GMT -5

Quote

Post by Carlos Phelps on May 25, 2007 9:13:26 GMT -5

jesper,

The GM you have installed on your site is the Trace Code Download if you install the standard download greymatter.50megs.com/release/gm_1_7_2_3_core.zip all posted bugs and corrections should apply to your site.

coldstone
Global Moderator

Posts: 816

Gm 1.7.2 Newlines break comments sometimes May 28, 2007 15:47:56 GMT -5

Quote

Post by coldstone on May 28, 2007 15:47:56 GMT -5

Thanks jesper, another good catch. The Gm_Security module is new to 1.7.3 and its the same function, just in a more appropriate place. I will modify the original post.

My apologies to people who tried to use the original post, it is based on 1.7.3 code, instead of 1.7.2.