Joomla! Issue Tracker | Joomla! CMS #26505 - [4.0][plugin][httpheaders]

? ?

Closed
1 Feb 2020
Medium
Build: 4.0-dev
# 26505
Diff
alikon:patch-109

Pending

Pending Hound Hound is busy sniffing around... Details

User tests: Successful: Unsuccessful:

alikon
7 Oct 2019

Pull Request for Issue #26501 .

Summary of Changes

converted array to string

Testing Instructions

see #26501

Expected result

no more warning

f2440d6 7 Oct 2019

array item to string

alikon - open - 7 Oct 2019

alikon - change - 7 Oct 2019

Status

New

⇒

Pending

joomla-cms-bot - change - 7 Oct 2019

Category

⇒

Front End Plugins

ChristineWk - test_item - 7 Oct 2019 - Tested successfully

ChristineWk - comment - 7 Oct 2019

I have tested this item ✅ successfully on f2440d6

Confirm before Patch:
Warning: hash() expects parameter 2 to be string, array given in \plugins\system\httpheaders\httpheaders.php on line 161
Warning: hash() expects parameter 2 to be string, array given in \plugins\system\httpheaders\httpheaders.php on line 172
After Patch: Warnings has gone.

OT: Which Mode should be use?
Custom / Detect or Automatic?

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/26505.}

SharkyKZ - comment - 7 Oct 2019

Since #25357 scripts/styles are stored as array. So this isn't right, the hash is being generated based on first script/style only.

wilsonge - comment - 7 Oct 2019

@SharkyKZ is right - we probably need to implode to comma separated rather than doing array_shift

SharkyKZ - comment - 7 Oct 2019

Maybe we can use existing MD5 hashes?

b5a3722 7 Oct 2019

implode array keys

alikon - change - 7 Oct 2019

Labels

Added: ?

alikon - comment - 7 Oct 2019

used implode and the md5 value....

SharkyKZ - comment - 7 Oct 2019

No, not like that. I was thinking we could reuse MD5 hashes but says here it's not recommended https://www.w3.org/TR/SRI/#cryptographic-hash-functions.

c50cddb 7 Oct 2019

without array_keys

alikon - comment - 7 Oct 2019

back to implode

richard67 - test_item - 7 Oct 2019 - Tested successfully

richard67 - comment - 7 Oct 2019

I have tested this item ✅ successfully on c50cddb

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/26505.}

ChristineWk - test_item - 7 Oct 2019 - Tested successfully

ChristineWk - comment - 7 Oct 2019

I have tested this item ✅ successfully on c50cddb

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/26505.}

alikon - change - 7 Oct 2019

Status

Pending

⇒

Ready to Commit

alikon - comment - 7 Oct 2019

RTC

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/26505.}

SharkyKZ - comment - 7 Oct 2019

I don't think this is right. @zero-24 can you take a look at this?

SharkyKZ - comment - 7 Oct 2019

This doesn't work. Each script/style tag needs to have its own hash. And the hash must be based on the content exactly as it appears on on the page. The content from head data does not contain formatting added by styles renderer.

SharkyKZ - change - 7 Oct 2019

Status

Ready to Commit

⇒

Pending

richard67 - test_item - 7 Oct 2019 - Not tested

richard67 - comment - 7 Oct 2019

I have not tested this item.

Setting to not tested until clarifications and reviews finished.

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/26505.}

ChristineWk - test_item - 7 Oct 2019 - Not tested

ChristineWk - comment - 7 Oct 2019

I have not tested this item.

OK, I did also set to "Not tested" now.

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/26505.}

brianteeman - comment - 7 Oct 2019

Please provide real testing instructions - not just see that the warning has gone

3ae3bcc 8 Oct 2019

fix

alikon - comment - 8 Oct 2019

thanks @zero24 & @SharkyKZ

53ff2c4 9 Oct 2019

Merge branch '4.0-dev' into patch-109

PoojaPatil1997 - test_item - 19 Oct 2019 - Tested successfully

PoojaPatil1997 - comment - 19 Oct 2019

I have tested this item ✅ successfully on 53ff2c4

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/26505.}

crommie - test_item - 19 Oct 2019 - Tested successfully

crommie - comment - 19 Oct 2019

I have tested this item ✅ successfully on 53ff2c4

As expected: warning without the patch, no warning after applying the patch.

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/26505.}

Quy - change - 19 Oct 2019

Status

Pending

⇒

Ready to Commit

Quy - comment - 19 Oct 2019

RTC

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/26505.}

SharkyKZ - comment - 19 Oct 2019

This hides the notice but the code is still broken.

zero-24 - comment - 19 Oct 2019

The code is still broken? Can you explain a bit more? As with 3ae3bcc the actual issue should be fixed or do i miss something?

SharkyKZ - comment - 19 Oct 2019

Since #25357 rendered scripts/styles have formatting added to them. But the hash is generated from scripts/styles without formatting. So the hashes don't match scripts/styles that appear on the page.

Assuming SRI works on pages with MIME type other than text/html, this was actually broken since the beginning because we wrap code in CDATA on such pages:

joomla-cms/libraries/src/Document/Renderer/Html/HeadRenderer.php

Line 231 in 56d8a35

$buffer .= $tab . $tab . '/*<![CDATA[*/' . $lnEnd;

zero-24 - comment - 19 Oct 2019

Ah ok I get the point now.

alikon - change - 1 Feb 2020

Status	Ready to Commit	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2020-02-01 10:52:21
Closed_By		⇒	alikon
Labels	Added: ?

alikon - close - 1 Feb 2020

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#26505] - [4.0][plugin][httpheaders] - array to string conversion

Summary of Changes

Testing Instructions

Expected result

Add a Comment