Fixed Error logs related to array structured cookies

[Alien]

Hey,

I hope you guys can help with this one.

I have two error log entries appearing over and over from this past Saturday to Monday...

Almost 300 pages worth of these errors. Both error messages occur with each other, and not every url string is identical...

I haven't changed anything on the server or anything software/add-on wise this past weekend.

Error 1:

Server error log
ErrorException: [E_NOTICE] Array to string conversion src/XF/Db/Mysqli/Statement.php:71
Generated by: Unknown account Oct 29, 2018 at 4:58 AM
Stack trace
#0 [internal function]: XF::handlePhpError(8, '[E_NOTICE] Arra...', '/home/xxxx/publi...', 71, Array)
#1 src/XF/Db/Mysqli/Statement.php(71): mysqli_stmt->execute()
#2 src/XF/Db/AbstractAdapter.php(79): XF\Db\Mysqli\Statement->execute()
#3 src/XF/Db/AbstractAdapter.php(91): XF\Db\AbstractAdapter->query('\r\n\t\t\t-- XFDB=fr...', Array)
#4 src/XF/Session/DbStorage.php(30): XF\Db\AbstractAdapter->fetchOne('\r\n\t\t\t-- XFDB=fr...', Array)
#5 src/XF/Session/Session.php(53): XF\Session\DbStorage->getSession(Array)
#6 src/XF/App.php(669): XF\Session\Session->start(']XNu')
#7 src/XF/Container.php(28): XF\App->XF\{closure}(Object(XF\Container))
#8 src/XF/Pub/App.php(39): XF\Container->offsetGet('session.public')
#9 src/XF/Container.php(28): XF\Pub\App->XF\Pub\{closure}(Object(XF\Container))
#10 src/XF/App.php(2250): XF\Container->offsetGet('session')
#11 src/XF/Pub/App.php(91): XF\App->session()
#12 src/XF/App.php(1927): XF\Pub\App->start(true)
#13 src/XF.php(329): XF\App->run()
#14 index.php(13): XF::runApp('XF\\Pub\\App')
#15 {main}
Request state
array(4) {
  ["url"] => string(22) "/tags/life/page-2.BAK_"
  ["referrer"] => bool(false)
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(0) {
  }
}

Error 2

Server error log
ErrorException: [E_WARNING] explode() expects parameter 2 to be string, array given src/XF/Pub/App.php:556
Generated by: Unknown account Oct 29, 2018 at 4:58 AM
Stack trace
#0 [internal function]: XF::handlePhpError(2, '[E_WARNING] exp...', '/home/xxxxxx/publi...', 556, Array)
#1 src/XF/Pub/App.php(556): explode(',', Array)
#2 src/XF/Pub/App.php(503): XF\Pub\App->addDefaultNotices(Object(XF\NoticeList), Array)
#3 src/XF/Pub/App.php(446): XF\Pub\App->getNoticeList(Array)
#4 src/XF/App.php(1766): XF\Pub\App->renderPageHtml('\n\n\n\n\n\n<div clas...', Array, Object(XF\Mvc\Reply\View), Object(XF\Mvc\Renderer\Html))
#5 src/XF/Mvc/Dispatcher.php(310): XF\App->renderPage('\n\n\n\n\n\n<div clas...', Object(XF\Mvc\Reply\View), Object(XF\Mvc\Renderer\Html))
#6 src/XF/Mvc/Dispatcher.php(44): XF\Mvc\Dispatcher->render(Object(XF\Mvc\Reply\View), 'BAK_')
#7 src/XF/App.php(1931): XF\Mvc\Dispatcher->run()
#8 src/XF.php(329): XF\App->run()
#9 index.php(13): XF::runApp('XF\\Pub\\App')
#10 {main}
Request state
array(4) {
  ["url"] => string(22) "/tags/life/page-2.BAK_"
  ["referrer"] => bool(false)
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(0) {
  }
}

 

[Mike]

At this point, I think these need to be disregarded. I don't think they should generally be problematic. I think this may be indicative a request where some cookies were unexpectedly set to an array format, where our code is expecting a string. If I had to guess, by the weird URL, it was some automated process which created them.

I will move this to bugs so we can try to handle this style of input better.

 

[Alien]

I've gotten them from more "normal" URL strings such as:

["url"] => string(13) "/pages/rules/"
["url"] => string(13) "/misc/contact"
["url"] => string(17) "/whats-new/posts/"
["url"] => string(19) "/members/bre.29217/"
["url"] => string(14) "/help/cookies/"

...Etc...

 

[argy]

Hi. Did you found any solution?
We have the same issue since this weekend.

 

[XF Bug Bot]

Thank you for reporting this issue. The issue is now resolved and we are aiming to include that in a future XF release (2.0.11).

Change log:

By default, do not allow cookies to be retrieved as arrays to prevent unexpected behavior. (Array support can now be opted into explicitly.)

Any changes made as a result of this issue being resolved may not be rolled out here until later.