Page 1 of 1
Which right do i have to give IIS_WPG on windows 2003 r2
Posted: Thu Nov 09, 2006 3:19 pm
by nomukrt
Hello i installed a iis 6.0 on windows 2003 server r2 and configured it with php and isapi so i can just see the infos from the phpinfo.php. So far so good i have i working webserver with php support and so i started to install phpMyFAQ all seem to be right i can make categories and i can create questions but when i right the text into the editor control and i save .the text which i entered in the editor control wouldn't appear the next time i opened that faq. So i think the IIS_WPG user needs some rights to write to file or that? Has anybody i fully working installtion with iis 6.0 and php5 and phpMyFAQ1.6.6
Re: Which right do i have to give IIS_WPG on windows 2003 r2
Posted: Thu Nov 09, 2006 5:26 pm
by matteo
Hi,
nomukrt wrote:Hello i installed a iis 6.0 on windows 2003 server r2 and configured it with php and isapi so i can just see the infos from the phpinfo.php. So far so good i have i working webserver with php support and so i started to install phpMyFAQ all seem to be right i can make categories and i can create questions but when i right the text into the editor control and i save .the text which i entered in the editor control wouldn't appear the next time i opened that faq. So i think the IIS_WPG user needs some rights to write to file or that?
it needs simply the right to write on DB, nothing more. Which DB are you using?
nomukrt wrote:Has anybody i fully working installtion with iis 6.0 and php5 and phpMyFAQ1.6.6
I'm running PMF on IIS 5.0 and PHP 5.1.6/4.4.4/4.3.5, with MySQL 4.1.20, MSDE 2000, MS SQL 2000 SP4. I could test PMF on IIS 6.0 but I think that the issue is not related to IIS: you could check if your IIS 6.0 is preventing the load of some files looking at 404 errors in your log file but the WYSIWYG editor simply uses some .js files and this extension is enabled by default even on IIS 6.0.
At least the text could be truncated: read
here.
My suggestions are:
- Post here the PMF backend homepage sections phpMyFAQ Information and System Information;
- Check for any strange error in your log files, both PHP ones and 404s;
- Check with the Metabase Explorer (IIS SDK) for any too small limit in HTTP POST size (AspMaxRequestEntityAllowed);
- Drop an eye to faqdata table where the content should be stored if it is not empty.
Ciao,
Matteo
It seems to be a character/encoding problem
Posted: Fri Nov 10, 2006 11:16 am
by nomukrt
Hello,
i have just tested a few scenarios and now i can reproduce the error: if i write the following text in the editor-control:
Wie fixt man den Fehler:Beim Starten des zentralen Programms "HP Director" erscheint die Meldung "Visual C++ Runtime Error ..."
Lösung: lokales Loginscript namens LocalLogon.cmd mit folgendem Inhalt anlegen:
@echo off
%SystemRoot%\system32\xcopy.exe /I /S /Y "%CommonProgramFiles%\ZDV\Hewlett-Packard" "%APPDATA%\Hewlett-Packard"
Verzeichnis %CommonProgramFiles%\ZDV\Hewlett-Packard\Digital Imaging
anlegen mit folgenden Dateien als Daten devices.xml, settings.xml
then nothing of the text will be saved.
if i paste the follwing text into the editorcontrol:
Wie fixt man den Fehler:Beim Starten des zentralen Programms "HP Director" erscheint die Meldung "Visual C++ Runtime Error ..."
Loesung: lokales Loginscript namens LocalLogon.cmd mit folgendem Inhalt anlegen:
@echo off
%SystemRoot%\system32\xcopy.exe /I /S /Y "%CommonProgramFiles%\ZDV\Hewlett-Packard" "%APPDATA%\Hewlett-Packard"
Verzeichnis %CommonProgramFiles%\ZDV\Hewlett-Packard\Digital Imaging
anlegen mit folgenden Dateien als Daten devices.xml, settings.xml
the complete text is saved and all is working very fine. So i think the character ö is the reason for the fault.
My System
phpMyFAQ Version phpMyFAQ 1.6.6
Server Software Microsoft-IIS/6.0
PHP Version PHP 5.2.0
Register Globals off
Safe Mode off
Database Client Version 5.0.22
Database Server Version 5.0.27-community-nt
Webserver Interface ISAPI
Re: It seems to be a character/encoding problem
Posted: Fri Nov 10, 2006 1:21 pm
by matteo
Hi,
nomukrt wrote:So i think the character ö is the reason for the fault.
My System
phpMyFAQ Version phpMyFAQ 1.6.6
Server Software Microsoft-IIS/6.0
PHP Version PHP 5.2.0
Register Globals off
Safe Mode off
Database Client Version 5.0.22
Database Server Version 5.0.27-community-nt
Webserver Interface ISAPI
thanks for your effort in finding out what's causing the issue in your system: we'll look at it building a similar environment, at least MySQL 5.0.22 and PHP 5.2.0.
Ciao,
Matteo
The issue is related to PHP 5.2.0 and our PMF_Init::basicXSS
Posted: Fri Nov 17, 2006 7:31 pm
by matteo
Hi,
the issue is related only on adopting PHP 5.2.0 (nothing with IIS 6.0 or Windows) 'cause something changed (it seems not related with the new filters) in 5.2.0 is now breaking the RegExps in our PMF_Init::basicXSS.
In the mean time, waiting for a fix on PMF, you could replace that method in
inc/Init.php with this below:
Code: Select all
function basicXSSClean($string)
{
if (strpos($string, '\0') !== false) {
return null;
}
if (get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
$string = str_replace(array("&","<",">"),array("&","<",">",),$string);
// Drop the regexps waiting for QA/Fix using PHP 5.2.0
//remove really unwanted tags
do {
$oldstring = $string;
$string = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);
} while ($oldstring != $string);
return $string;
}
It's a safe workaround if your server is not public.
Stay tuned,
Matteo
EDIT: From the
PHP changelog:
Updated PCRE to version 6.7. (Ilia)
Posted: Sat Nov 18, 2006 1:02 am
by calande
Ooops... This didn't work...It adds 7 backslashes in front of each single quote. Ie:
Posted: Sat Nov 18, 2006 1:17 am
by matteo
Hi,
I cannot actually test it 'till Monday but here are some more notes. From:
- Bug #39405 regular expression breaking on strings >= 24999 characters;
- NEW PCRE Configuration Options:
pcre.backtrack_limit = 100000
pcre.recursion_limit = 100000
it seems that:
in php.ini should fix it or at least this should avoid another possible issue on PMF when running under PHP 5.2.0.
Ciao,
Matteo
Posted: Sat Nov 18, 2006 1:21 am
by matteo
Hi,
calande wrote:Ooops... This didn't work...It adds 7 backslashes in front of each single quote. Ie:
that's 'cause in the previous post (just fixed now) I missed this piece of code:
Code: Select all
if (get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
and you have magic quotes on.
Question: could you recover the original function and test if setting
pcre.backtrack_limit to -1 solves the issue?
Ciao,
Matteo
Posted: Mon Nov 20, 2006 10:51 am
by matteo
Hi,
matteo wrote:it seems that:
in php.ini should fix it or at least this should avoid another possible issue on PMF when running under PHP 5.2.0.
here is an update on the debug progress: I can confirm that the new 2 params, introduced
with 5.2.0, optionally trigger another kind of issue.
The current issue, coming ONLY when running PHP 5.2.0 for a PMF server, is that the
PCRE_UTF8,
u, seems to work no longer:
that's the reason why
I've suggested to temporarly remove each of the
preg_replace calls IF/WHEN they contains the PCRE_UTF8 modifier.
Stay tuned,
Matteo
Posted: Mon Nov 20, 2006 11:36 am
by matteo
Hi all,
here is a working (
BUT not the final) version of the
PMF_Init::basicXSSClean static method:
Code: Select all
function basicXSSClean($string)
{
global $PMF_LANG;
if (strpos($string, '\0') !== false) {
return null;
}
if (get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
$string = str_replace(array("&","<",">"),array("&","<",">",),$string);
$string = mb_convert_encoding($string, 'utf-8', $PMF_LANG["metaCharset"]);
// fix &entitiy\n;
$string = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u',"$1;",$string);
$string = preg_replace('#(&\#x*)([0-9A-F]+);*#iu',"$1$2;",$string);
$string = html_entity_decode($string, ENT_COMPAT);
// remove any attribute starting with "on" or xmlns
$string = preg_replace('#(<[^>]+[\x00-\x20\"\'])(on|xmlns)[^>]*>#iUu',"$1>",$string);
// remove javascript: and vbscript: protocol
$string = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([\`\'\"]*)[\\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iUu','$1=$2nojavascript...',$string);
$string = preg_replace('#([a-z]*)[\x00-\x20]*=([\'\"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iUu','$1=$2novbscript...',$string);
//<span style="width: expression(alert('Ping!'));"></span>
// only works in ie...
$string = preg_replace('#(<[^>]+)style[\x00-\x20]*=[\x00-\x20]*([\`\'\"]*).*expression[\x00-\x20]*\([^>]*>#iUu',"$1>",$string);
$string = preg_replace('#(<[^>]+)style[\x00-\x20]*=[\x00-\x20]*([\`\'\"]*).*behaviour[\x00-\x20]*\([^>]*>#iUu',"$1>",$string);
$string = preg_replace('#(<[^>]+)style[\x00-\x20]*=[\x00-\x20]*([\`\'\"]*).*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*>#iUu',"$1>",$string);
//remove namespaced elements (we do not need them...)
$string = preg_replace('#</*\w+:\w[^>]*>#i',"",$string);
//remove really unwanted tags
do {
$oldstring = $string;
$string = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);
} while ($oldstring != $string);
$string = mb_convert_encoding($string, $PMF_LANG["metaCharset"], 'utf-8');
return $string;
}
What it seems to be changed with PHP 5.2.0 is that the
PCRE_UTF8 modifier needs each char to be UTF-8 encoded.
Next step will be an analysis to see if any of the "utf-8 regexps" could run without
PCRE_UTF8 modifier.
Stay tuned,
Matteo
Posted: Thu Nov 23, 2006 10:32 pm
by matteo
Hi all,
the issue has been fixed since few minutes into CVS both for 1.6.7-dev and 2.0.0-beta.
Ciao,
Matteo