Revigniter V2 sanitizing issue

Are you using LiveCode to create server scripts or CGIs?

Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller

Ralf Bitter
Posts: 21
Joined: Mon Aug 26, 2013 6:49 pm

Re: Revigniter V2 sanitizing issue

Post by Ralf Bitter » Thu Dec 09, 2021 10:25 pm

Hi istech,

I don’t think it has to do with your installation.
There is something else you should pay attention to,
and that is the usage of libURLFormData when posting
arrayencoded arrays. Here is what I do:

Code: Select all

put JSONToArray(tJSON) into tJsonA

set the httpHeaders to "Content-Type: application/lc.array"

post libURLFormData("testPOST", base64Encode(the arrayencode of tJsonA)) to URL "http://example.com/istechInputTest"
or in case the data should be compressed

Code: Select all

put JSONToArray(tJSON) into tJsonA

set the httpHeaders to "Content-Type: application/lc.array.compressed"

post libURLFormData("testPOST", base64Encode(the compress of the arrayencode of tJsonA)) to URL "http://example.com/istechInputTest"
server code example

Code: Select all

put $_POST["testPOST"] into tData

put "todo =" && tData["link"]["todo"]
Please let me know if this helps.
Ralf

istech
Posts: 194
Joined: Thu Sep 19, 2013 10:08 am

Re: Revigniter V2 sanitizing issue

Post by istech » Sat Dec 18, 2021 12:58 pm

Hi Ralf,

Apologies for not getting back to you sooner as I was away on business.

I can confirm this solution works for my situation. But still interested in the why.

Should I be posting as form data for Revigniter? Of is this more of a workaround for my situation.

No hurry, as just for my understanding of the problem I was facing.

Again many thanks for your time.

Ralf Bitter
Posts: 21
Joined: Mon Aug 26, 2013 6:49 pm

Re: Revigniter V2 sanitizing issue

Post by Ralf Bitter » Sun Dec 19, 2021 2:54 pm

Hi istech,

sorry for the late reply. Yes, using libURLFormData() is currently a
requirement for posting LC arrays to revigniter. But I have been messing
around with the code of the Input library and can tell this will change
with the next release.

This means that one will be able to post LC arrays without having to use
the libURLFormData() function. Also, one will be able to use libURLFormData()
to post JSON data, which is currently not possible. All these restrictions will
be removed.

The next release is in the pipe line.
Ralf

istech
Posts: 194
Joined: Thu Sep 19, 2013 10:08 am

Re: Revigniter V2 sanitizing issue

Post by istech » Tue Dec 21, 2021 10:19 pm

Ahh Great!!

Looking forward to it.

Again thanks for your dedication and time.

Ralf Bitter
Posts: 21
Joined: Mon Aug 26, 2013 6:49 pm

Re: Revigniter V2 sanitizing issue

Post by Ralf Bitter » Wed Dec 22, 2021 9:44 am

Hi istech,

the new release (version 2.3.3) can be downloaded here:

https://revigniter.com/

or here:

https://github.com/revig/revigniter/
Ralf

istech
Posts: 194
Joined: Thu Sep 19, 2013 10:08 am

Re: Revigniter V2 sanitizing issue

Post by istech » Fri Jan 28, 2022 1:35 pm

Hi Ralf,

Sorry for the late reply will be testing this shortly. Thanks for all your great work and will let you know if I find any problems.

istech
Posts: 194
Joined: Thu Sep 19, 2013 10:08 am

Re: Revigniter V2 sanitizing issue

Post by istech » Sat Dec 03, 2022 4:17 pm

Ralf Bitter wrote:
Wed Dec 22, 2021 9:44 am
Hi istech,

the new release (version 2.3.3) can be downloaded here:

https://revigniter.com/

or here:

https://github.com/revig/revigniter/

Hi Ralf and all,

I do hope you all are doing well.

If you get a chance I have run into an issue that I am currently troubleshooting which may concern a bug in revigniter or maybe just not be supported at the moment.

I have recently upgraded my Livecode Server Engine version to 9.6.8 and no longer receive POST's or POST's are not being passed through the input lib back to the POST so are seen as empty.

I have checked that revigniter is receiving the POST but is not passing it along to "put urlDecode(tPOSTrawVariableValue) into $_POST"

I am using the same base64 encoded JSON array using the libURLFormData to send. However, with the latest engine, either the header or revigniter is not recognizing the header type and throws it to the "_rigVarPostFallback(). I'm tempted to roll back the version but would be better to find the cause and fix it, no? This also may help others if they run into the same situation.

Any suggestions would be appreciated.

Thanks

Ralf Bitter
Posts: 21
Joined: Mon Aug 26, 2013 6:49 pm

Re: Revigniter V2 sanitizing issue

Post by Ralf Bitter » Sat Dec 03, 2022 8:06 pm

Hi istech,

if I understood you correctly, you are sending base64 encoded JSON data. In this case do not use libURLFormData() and do not send an application/lc.array nor an application/json Content-Type header. On the server side use:

Code: Select all

put base64Decode($_POST_RAW) into tJSON
If you like to use libURLFormData() like in:

Code: Select all

put libURLFormData("myKey", base64Encode(tJSONdata)) into tDataToPost
then the code on the server side should read:

Code: Select all

put base64Decode($_POST[“myKey"])  into tJSON
If you like to send JSON data without encoding it, you need to send an application/json Content-Type header. Then retrieve the JSON data on the server side from $_POST,from $_POST_RAW, from rigVarPost() or from rigVarPost(, TRUE) respectively.

Did tests here using LC server version 9.6.8 and all worked as expected.

Please let me know if this helps.
Ralf

istech
Posts: 194
Joined: Thu Sep 19, 2013 10:08 am

Re: Revigniter V2 sanitizing issue

Post by istech » Sun Dec 04, 2022 9:09 am

Ralf Bitter wrote:
Sat Dec 03, 2022 8:06 pm
Hi istech,

if I understood you correctly, you are sending base64 encoded JSON data. In this case do not use libURLFormData() and do not send an application/lc.array nor an application/json Content-Type header. On the server side use:

Code: Select all

put base64Decode($_POST_RAW) into tJSON
If you like to use libURLFormData() like in:

Code: Select all

put libURLFormData("myKey", base64Encode(tJSONdata)) into tDataToPost
then the code on the server side should read:

Code: Select all

put base64Decode($_POST[“myKey"])  into tJSON
If you like to send JSON data without encoding it, you need to send an application/json Content-Type header. Then retrieve the JSON data on the server side from $_POST,from $_POST_RAW, from rigVarPost() or from rigVarPost(, TRUE) respectively.

Did tests here using LC server version 9.6.8 and all worked as expected.

Please let me know if this helps.
Hi Ralf,

Hope you are doing well.

I use the

Code: Select all

put libURLFormData("myKey", base64Encode(tJSONdata)) into tDataToPost
to post

then

Code: Select all

put base64Decode($_POST[“myKey"])  into tJSON


to get the information.

I narrowed it down to my header which is

Code: Select all

"Content-Type: application/json; charset=UTF-8"


and revigniter sees

Code: Select all

(sInputA["contentType"] is "application/json") \
so sends to "put _rigVarPostFallback() into $_POST" which come back empty so I'm not getting the $_POST data? The thing is I have not changed anything apart from the engine. So very strange for this to start happening. Still investigating and will update the thread when I do. I can get it from $_POST_RAW but then need to urlDecode it. My position is why the change? Why is $_POST now not getting the data?

My current header is below:

Accept: application/json; charset=UTF-8
Accept-Charset: UTF-8
Accept-Encoding: base64
Content-Type: application/json; charset=UTF-8
Content-Encoding: base64

Ralf Bitter
Posts: 21
Joined: Mon Aug 26, 2013 6:49 pm

Re: Revigniter V2 sanitizing issue

Post by Ralf Bitter » Sun Dec 04, 2022 3:37 pm

Hi istech,

considering your code (encoding JSON, using libURLFormData(), sending an application/json Content-Type header), $_POST[“myKey"] is empty, that's true, but $_POST is not empty. At least this is what I am noticing. The code to get the data should read:

Code: Select all

put base64Decode($_POST) into tJSON
So, before updating the LC engine, did you really use an array key like $_POST[“myKey"] to get the data? Which LC server engine did you use in the past? And one last question, I am just curious: Why do you send an application/json Content-Type header although you are sending base64 encoded Data?
Ralf

istech
Posts: 194
Joined: Thu Sep 19, 2013 10:08 am

Re: Revigniter V2 sanitizing issue

Post by istech » Tue Dec 06, 2022 8:27 am

Hi Ralf,

Sorry for the late reply,

Yes you are correct, I now have changed the code to

Code: Select all

put base64Decode($_POST)/$_POST_RAW into tJSON
and process the data from there. Just strange as to why the change is needed. Maybe since the revigniter upgrade my server cached the older input script?. Can not say for sure. But working as expected with the changes now.


In answering your question about base64. I mostly use it for integrity and for me is the most efficient encoding for my use case. I have users inputting exotic characters and deal with binary data as well. This also helps negate other problematic issues that could arise like virus scanners, malware scanners etc.

Ralf Bitter
Posts: 21
Joined: Mon Aug 26, 2013 6:49 pm

Re: Revigniter V2 sanitizing issue

Post by Ralf Bitter » Tue Dec 06, 2022 9:32 am

Hi istech,

thanks for your feedback, I am glad it works now.
My question was not related to base64, I was curious about why you send an application/json Content-Type header.
Ralf

istech
Posts: 194
Joined: Thu Sep 19, 2013 10:08 am

Re: Revigniter V2 sanitizing issue

Post by istech » Tue Dec 06, 2022 2:35 pm

Ralf Bitter wrote:
Tue Dec 06, 2022 9:32 am
Hi istech,

thanks for your feedback, I am glad it works now.
My question was not related to base64, I was curious about why you send an application/json Content-Type header.
Apologies Ralf, I did misread your question. It is for the api I'm using. Definitely a custom setup. But works very well. I'd love to show you some more and even get your input. If you are interested please send me a private message as would be off-topic here.

Again thanks for your time and patience.

Regards,

Tony

Post Reply

Return to “CGIs and the Server”