Fork me on GitHub
Subscribe 3

Ticket #778 (fixed bug)

Contents of code tag susceptible to alteration.

  • Created: 2012-12-03 07:17:36
  • Reported by: xot
  • Assigned to: Franz
  • Milestone: 1.5.2
  • Component: parser
  • Priority: normal

I run a programming website running FluxBB 1.5.1 and one of the long-standing problems with PunBB/FluxBB is its handling of the contents of code tags.

The parser is smart enough to escape any BBCode it finds inside code tags, but it is not smart enough prevent the tags from being converted to lowercase.

This becomes a real problem when someone posts source code containing arrays. For example: "sample_array[B ]" becomes "sample_array[b ]", that is, the index "B" becomes "b", breaking the source code.

My personal solution has been to remove strtolower() at three places in the parser. It means users have to be sure to use lowercase tags when they post, but at least the source code they post is posted correctly, something you'll agree is critical for a programming site.

I'm sure there is a better way to do this that preserves the "helpful" case changing aspect of FluxBB, but the parser is a bit too convoluted and unfamiliar for me to fix myself. I'd love to see this problem addressed.

P.S.

Even your bug tracker is giving me grief over the example arrays because it thinks they are BBCode. I've inserted spaces to fool the parser. hmm

History

xot 2012-12-03 07:20:05

  • Description changed. (Diff)

xot 2012-12-03 07:21:53

  • Description changed. (Diff)

Franz 2012-12-03 09:38:58

  • Milestone set to 1.5.2.

Phew, seeing the subject, I first thought this was a security issue.

Thanks for the report, we'll adress it shortly!

Franz 2013-01-02 14:02:34

  • Owner set to Franz.

Franz 2013-01-03 15:38:59

Commit ee58aca to fluxbb master

#778: Make sure content of code tags is not preparsed.

Franz 2013-01-03 15:39:00

Ok, I just committed a fix. Can you apply that commit to your installation of FluxBB and play around with it? (Old posts will not be fixed.)

Not sure if this breaks anything else...

quy 2013-01-05 03:38:12

Per php.net:

Always use quotes around a string literal array index. For example, $foo['bar'] is correct, while $foo[bar] is not. But why? The reason is that this code has an undefined constant (bar) rather than a string ('bar' - notice the quotes). PHP may in future define constants which, unfortunately for such code, have the same name. It works because PHP automatically converts a bare string (an unquoted string which does not correspond to any known symbol) into a string which contains the bare string. For instance, if there is no defined constant named bar, then PHP will substitute in the string 'bar' and use that.

Franz 2013-01-05 09:19:55

Huh? Is that a bug report, Quy? I'm afraid I don't understand the reference...

quy 2013-01-05 13:35:52

Sorry not a bug report. It is to reference the example provided by the user. It should be: sample_array['B'] and not sample_array[B ]

Edit: never mind. Found an exception: print "Hello {$arr[fruit]}";

Comment edited 1 times (Diff)

Franz 2013-01-05 14:18:24

  • Status changed from open to fixed.

Crossing fingers then. smile

xot 2013-01-10 19:20:39

For whatever reason I haven't been getting email updates about this ticket. The fix seems to have solved the problem. Many thanks!