Fixed Invalid UTF-8 sequences may not be filtered out by InputFilterer::cleanArrayStrings

Xon

Well-known member
Affected version
2.1.1
Something like the following cause search to fail unexpectedly (rather than return no results), and generate a logged error;
https://xenforo.com/community/search/search?c[nodes][0]=1%00%c0%a7%c0%a2&c[users]=Xon


This is because setupFromQuery saves the urlConstraint which is parsed by the ['c' => 'array'] passed to InputFilterer::filter. This likely exists for any url constraint that XF preserves not just the example.

For a string; cleanInternal does extra processing compared to cleanArrayStrings which just calls cleanString

The !preg_match('/^./us', $value) likely needs to either be copied into cleanArrayStrings or moved into cleanString. As cleanString is an public entry point; this might be an issue for other code-paths
 
Last edited:
Thank you for reporting this issue. It has now been resolved and we are aiming to include it in a future XF release (2.1.2).

Change log:
Perform some additional string cleaning when filtering arrays of strings.
Any changes made as a result of this issue being resolved may not be rolled out here until later.
 
Top Bottom