back to phpList.org

Purpose of "hack attempt" exit in subscribelib2.php

development
Tags: #<Tag:0x00007f2b188ce4f8>

#1

Hi,

Can someone please tell me why this “exit” exists in subscribelib2.php? What types of hacks does it avert?

I ask because I’m working on an ajax form (using jquery) to subscribe a user to a phplist newsletter from a distinct website without requiring our user to leave that website. Unfortunately, after my ajax form is submitted to phplist, subscribelib2.php is prematurely exiting at the line above due to “hack attempt”.

I did some debugging. Here is the print_r() of $_POST[‘list’] as subscribelib2.php sees it when my ajax form from a distinct domain submits to our phplist site at /lists/index.php?p=asubscribe&id=2:

Array\n(\n    [2] => signup\n    [] => signup\n)\n

For comparison, here is the print_r() of $_POST[‘list’] as subscribelib2.php sees it when I attempt to subscribe from the form on the phplist site at /lists/index.php?p=subscribe&id=2

Array\n(\n    [2] => signup\n)\n

As you can see, subscribelib2.php sees an additional element in the array whoose index is empty. Then the $key in the code linked above is empty, and therefore subscribelib2.php prematurely exits after the comment “hack attempt”.

My ajax form has a hidden input as follows:

<input type="hidden" name="list[2]" value="signup" />

I do not define an input with name = “list[]”. I’m not sure where php is getting that input; even my browser’s js console’s Params tab only shows me the one named “list[2]” with value “signup”. Perhaps the “list[]” is a confused byproduct of the way jquery.ajax() serializes the data from the form before passing it to phplist?

In any case, I’m wondering if the “hack attempt” exit is actually useful. If it is, I’d like to submit a PR to include comments in the code describing what it exactly is for. If it’s not doing anything, then I’d like to submit a PR to remove that exit so that my ajax submission form (which is benevolent) will work.

Please let me know if it’s acceptable to remove the logic linked above from subscribelib2.php or not.


#2

Update: I discovered that the additional element in the $_POST[‘list’] array is actually added by phplist, not ajax! It occurs here:

My question still stands, and I’m even more of the opinion that this “hack attempt” exit should be removed since I’m more confident that my ajax form is doing the “right thing” here.


#3

Perhaps @michiel knows?


#4

@maltfield The entry with an empty key shouldn’t be present so I guess that there is something wrong with the html/javascript or the subscribe page as defined in phplist.

If you use the browser tools to look at the data that is being sent from the browser that might clarify where the problem is.


#5

This may well be the cause of the problem.

If you have not selected a list, in which case the subscribe page will default to offering all public lists, then the variable $GLOBALS[‘pagedata’][“lists”] will be an empty string. using explode() on an empty string returns an array of one entry, which is itself an empty string.


#6

the “hack attempt” was at the time a way to handle input that was considered unexpected. By the sounds of it, this could do with a review and possible update.


#7

@duncac, thanks! Can you tell me what exactly you mean by “selected a list”?

My ajax submitted a hidden form input with “list[2]=signup” – does that qualify as selecting the list #2?

Regardless of the above form input, when I submit it to /lists/index.php?p=asubscribe&id=2, the phplist script still tries to add to the contents of $GLOBALS[‘pagedata’][‘lists’] to $_POST[‘list’].

What should $GLOBALS[‘pagedata’][‘lists’] be set to? For me it’s == ‘’

I guess I see at least the following fixes:

  1. Remove the “hack attempt” else block entirely, including the ‘exit’ causing this issue
  2. wrap the one-line in this foreach loop in an if condition that makes sure that $listid is not empty before attempting to add it to the $_POST[‘list’] array. https://github.com/phpList/phplist3/blob/19baaaa476bb532f53430ff9b3e7fd73e61991a1/public_html/lists/index.php#L247-L249

#8

When you created the subscribe page in phplist, did you select a list?
image

I thought that there was some documentation explaining the constraints on a subscribe page to be used for ajax but I can’t immediately find it.