1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed css.php user variable checking

Discussion in 'Resolved Bug Reports' started by Kent, Jun 20, 2012.

  1. Kent

    Kent Active Member

    css.php doesn't check user variables' data types, so passing an array for example will cause a (harmless) error. This shouldn't happen under normal usage, and doesn't appear to have any potential security concern so long as the error is caught, however, some functions may return unexpected values because they don't throw an error.

    Example: css.php?dir[]=test
    ErrorException: strtoupper() expects parameter 1 to be string, array given - library/XenForo/CssOutput.php:97

    The "style" and "d" params don't throw an error from an array being passed because intval accepts arrays and returns 0 if empty and 1 if not. The "css" param also doesn't throw an error, as strval will return "Array" if an array is passed.
  2. Mike

    Mike XenForo Developer Staff Member

    Oh, I fixed this one already too. :)

Share This Page