Problem logging into admin panel, UCP (SID issues, URL encod

orudge · Post by **orudge** » Mon May 21, 2007 5:47 pm

I've installed phpBB 3.0 RC1 on my server, and attempted an upgrade successfully from phpBB 2.0.x. However, I'm having some trouble logging into the admin control panel, and performing a few other activities (eg, various activities in the UCP). I can log in normally quite happily. However, If I try to log into the administration control panel, I get the reauthentication page. Enter my password, and I'm redirected to the "You have successfully authenticated and will now be redirected to the Administration Control Panel." page. However, the link I'm given has two SIDs, and the ? and &s in the first "section" are still HTML-encoded:

http://url/adm/index.php%3F%26amp%3Bsid%3D1cb8d135b9a5dab867a4399735d38098
?sid=1b7cd0b5578137cb71a275326e0efd88

(the line break is my own)

The fact that it's then created a new session means that I then get an authentication error on the next page. I've tried this under Firefox 2.0.0.3, IE7 and Safari, under different machines. It doesn't appear to be a cookie problem. I've also had similar issues with, for instance, the "delete all cookies" link, which sends me to:

http://url/ucp.php%3Fmode%3Ddelete_cookies%26amp%3Bsid%3D
d8a81d0376a4d56f6d9043909f7900e0?mode=delete_cookies&confirm_key=4Q6PQ6GBEG

If I attempt to update some settings in the UCP, for instance on the http://url/ucp.php?i=165 page (global settings), it then tries to send me to:

http://url/ucp.php%3Fi%3D165?i=prefs&mode=personal

which gives a 404, naturally. The same happens on most other UCP pages.

The server is running lighttpd and PHP 4.4.6, with MySQL 4.1.22. A test account can be provided if required.

EDIT: It seems the problem may be similar to, or the same as, this one - I can get into the admin control panel if I navigate away to a different page and then reuse the admin link at the bottom.

Thanks for any help or suggestions,

orudge · Post by **orudge** » Sun Jun 24, 2007 10:30 pm

Hmm, I'm having these exact same problems with RC2. As nobody else appears to be having them (or at least, posting about them), I shall see if I can find some more data to help support this and likely file a bug report in the next little while.

Is there nobody else here who has been experiencing the same trouble?

tomallos · Post by **tomallos** » Sun Jun 24, 2007 10:41 pm

I've this problem too

orudge · Post by **orudge** » Sun Jun 24, 2007 10:44 pm

What version of PHP are you using?

tytus · Post by **tytus** » Mon Jun 25, 2007 2:20 pm

I've this problem too:

- Lighttpd
- PHP 4.4
- PHP 5.2

orudge · Post by **orudge** » Mon Jun 25, 2007 2:57 pm

The problem appears to be in the session.php file, specifically:

$page_name = urlencode(htmlspecialchars($page_name));

This is encoding bits of the URL that shouldn't be encoded, and so the web browser attempts to access, for instance, ucp.php%3Fmode%3Ddelete_cookies, instead of ucp.php, passing it ?mode=delete_cookies. Commenting out that line appears to "fix" the problem, or at least, work around it.

I'd be interested to know why it doesn't seem to be causing other people a problem. Does the urlencode function not encode, say, ? in a certain version of PHP?

ToonArmy · Post by **ToonArmy** » Mon Jun 25, 2007 4:00 pm

I think I know what the problem is, try the following change:

Find (includes/sessions.php:45):

Code: Select all

$script_name = (!empty($_SERVER['REQUEST_URI'])) ? $_SERVER['REQUEST_URI'] : getenv('REQUEST_URI');

After Add:

Code: Select all

$script_name = (($pos = strpos($script_name, '?')) !== false) ? substr($script_name, 0, strpos($script_name, '?')) : $script_name;

I wondered how long before this became a problem.

orudge · Post by **orudge** » Mon Jun 25, 2007 4:12 pm

That change appears to work correctly.

advertisements