Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#20092] - [com_mailto] Fix undefined index

? Pending

User tests: Successful: Unsuccessful:

avatar Quy
Quy
5 Apr 2018

Summary of Changes

The fields in Email this link to a friend form can be renamed resulting in undefined index notices upon submission. This PR checks that these fields exist before performing operations to them.

Testing Instructions

  • Log in on the frontend
  • Go to an article
  • Select Email in the dropdown
  • Using the Web Developer Inspector, rename the following fields: sender and subject to sender2 and subject2
  • Fill out form
  • Submit form

Expected result

no notices

Actual result

In PHP error log:

PHP Notice:  Undefined index: sender in \components\com_mailto\controller.php on line 97

PHP Notice:  Undefined index: subject in \components\com_mailto\controller.php on line 97

Documentation Changes Required

no

avatar Quy Quy - open - 5 Apr 2018
avatar Quy Quy - change - 5 Apr 2018
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 5 Apr 2018
Category Front End com_mailto
avatar SharkyKZ
SharkyKZ - comment - 30 Apr 2018

I have tested this item successfully on ee761cb

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20092.

avatar SharkyKZ SharkyKZ - test_item - 30 Apr 2018 - Tested successfully
avatar Quy Quy - close - 2 May 2018
avatar Quy Quy - change - 2 May 2018
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2018-05-02 01:58:07
Closed_By Quy
avatar Quy Quy - change - 2 May 2018
Labels Added: ?
avatar Quy
Quy - comment - 2 May 2018

This PR is included in PR #20265.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20092.

avatar zero-24
zero-24 - comment - 2 May 2018

Sorry for not noticing it here. Yes i have 'stolen' this one so we have the complete code in the other PR as the check needed to be extended anyway. Many thanks @Quy !

avatar Quy
Quy - comment - 2 May 2018

if (!empty($_POST[$field]))

This check is no longer required when using $data and getData() in your PR. Please consider my suggestion in your PR.

avatar zero-24
zero-24 - comment - 2 May 2018

Why should it no longer required?

avatar Quy
Quy - comment - 2 May 2018

Here is my proposed change:

remove:

		// An array of the input fields to scan for injected headers
		$fields = array(
			'emailto',
			'sender',
			'emailfrom',
			'subject',
			'link',
			'captcha',
		);

change to:

		foreach ($data as $key => $value)
		{
			foreach ($headers as $header)
			{
				if (strpos($value, $header) !== false)
				{
					JError::raiseError(403, '');
				}
			}
		}
avatar Quy
Quy - comment - 2 May 2018

In other words, you got the data here so no need to do this check if (!empty($_POST[$field])).

	public function getData()
	{
		$input = JFactory::getApplication()->input;
		$data['emailto']   = $input->get('emailto', '', 'string');
		$data['sender']    = $input->get('sender', '', 'string');
		$data['emailfrom'] = $input->get('emailfrom', '', 'string');
		$data['subject']   = $input->get('subject', '', 'string');
		$data['captcha']   = $input->get('captcha', '', 'string');
		return $data;
	}
avatar zero-24
zero-24 - comment - 2 May 2018

Pushed thanks 👍

Add a Comment

Login with GitHub to post a comment