back to phpList.org

Purpose of "hack attempt" exit in subscribelib2.php

development
Tags: #<Tag:0x00007fe55ede8028>

#1

Hi,

Can someone please tell me why this “exit” exists in subscribelib2.php? What types of hacks does it avert?

I ask because I’m working on an ajax form (using jquery) to subscribe a user to a phplist newsletter from a distinct website without requiring our user to leave that website. Unfortunately, after my ajax form is submitted to phplist, subscribelib2.php is prematurely exiting at the line above due to “hack attempt”.

I did some debugging. Here is the print_r() of $_POST[‘list’] as subscribelib2.php sees it when my ajax form from a distinct domain submits to our phplist site at /lists/index.php?p=asubscribe&id=2:

Array\n(\n    [2] => signup\n    [] => signup\n)\n

For comparison, here is the print_r() of $_POST[‘list’] as subscribelib2.php sees it when I attempt to subscribe from the form on the phplist site at /lists/index.php?p=subscribe&id=2

Array\n(\n    [2] => signup\n)\n

As you can see, subscribelib2.php sees an additional element in the array whoose index is empty. Then the $key in the code linked above is empty, and therefore subscribelib2.php prematurely exits after the comment “hack attempt”.

My ajax form has a hidden input as follows:

<input type="hidden" name="list[2]" value="signup" />

I do not define an input with name = “list[]”. I’m not sure where php is getting that input; even my browser’s js console’s Params tab only shows me the one named “list[2]” with value “signup”. Perhaps the “list[]” is a confused byproduct of the way jquery.ajax() serializes the data from the form before passing it to phplist?

In any case, I’m wondering if the “hack attempt” exit is actually useful. If it is, I’d like to submit a PR to include comments in the code describing what it exactly is for. If it’s not doing anything, then I’d like to submit a PR to remove that exit so that my ajax submission form (which is benevolent) will work.

Please let me know if it’s acceptable to remove the logic linked above from subscribelib2.php or not.


#2

Update: I discovered that the additional element in the $_POST[‘list’] array is actually added by phplist, not ajax! It occurs here:

My question still stands, and I’m even more of the opinion that this “hack attempt” exit should be removed since I’m more confident that my ajax form is doing the “right thing” here.


#3

Perhaps @michiel knows?


#4

@maltfield The entry with an empty key shouldn’t be present so I guess that there is something wrong with the html/javascript or the subscribe page as defined in phplist.

If you use the browser tools to look at the data that is being sent from the browser that might clarify where the problem is.


#5

This may well be the cause of the problem.

If you have not selected a list, in which case the subscribe page will default to offering all public lists, then the variable $GLOBALS[‘pagedata’][“lists”] will be an empty string. using explode() on an empty string returns an array of one entry, which is itself an empty string.


#6

the “hack attempt” was at the time a way to handle input that was considered unexpected. By the sounds of it, this could do with a review and possible update.


#7

@duncac, thanks! Can you tell me what exactly you mean by “selected a list”?

My ajax submitted a hidden form input with “list[2]=signup” – does that qualify as selecting the list #2?

Regardless of the above form input, when I submit it to /lists/index.php?p=asubscribe&id=2, the phplist script still tries to add to the contents of $GLOBALS[‘pagedata’][‘lists’] to $_POST[‘list’].

What should $GLOBALS[‘pagedata’][‘lists’] be set to? For me it’s == ‘’

I guess I see at least the following fixes:

  1. Remove the “hack attempt” else block entirely, including the ‘exit’ causing this issue
  2. wrap the one-line in this foreach loop in an if condition that makes sure that $listid is not empty before attempting to add it to the $_POST[‘list’] array. https://github.com/phpList/phplist3/blob/19baaaa476bb532f53430ff9b3e7fd73e61991a1/public_html/lists/index.php#L247-L249

#8

When you created the subscribe page in phplist, did you select a list?
image

I thought that there was some documentation explaining the constraints on a subscribe page to be used for ajax but I can’t immediately find it.


#9

@duncanc You nailed it, thanks!

I went to my phplist, logged in, clicked “Config” -> “Subscribe pages” -> “Edit” (icon) -> “Select the lists to offer” tab, and–indeed–there was nothing checked!

Wow, this is a very, very obscure configuration error. I think, at the least, we should add a line to emit an error (exception?) to the logs indicating that an unexpected input was encountered, and that the admin should verify that there is at least one list selected in the relevant Subscribe Page. For example:

ERROR: Unexpected input error: No "lists to offer" selected. Please confirm that at least one list was checked in the "Select the lists to offer" tab of the "Subscribe Pages" config in the phplist admin web interface for Subscribe Page #2 = "Subscribe to our newsletter"

#10

@maltfield Sounds good - will you submit a PR for that?


#11

There is a coding mistake that should be fixed which should stop your failure due to “hack attempt”.

It is valid to not choose a list for the subscribe page, as then all public lists will be offered. Whether that is appropriate for asubscribe probably needs to be discussed.


#12

ok, I submitted a PR with both changes:

  1. I added an error (in the form of an exception) to be emitted just before the ‘exit’ is called, to help make the trace more transparent in case anyone encounters this ‘exit’ and needs to debug it in the future.
  2. I added a check to the ‘asubscribe’ section in index.php which fixes the logic error @duncanc describes, preventing it from adding an empty element to the $_POST[‘list’] associative array when $listid is the empty string (because $GLOBALS[‘pagedata’][‘lists’] is an empty array).