MSM PHP errors on second site but not original
Development and Programming
I had the same problem (as of a few weeks ago) and did some investigating. The most difficult part was that my site didn’t have same errors locally as it did live. This was because the errors were caused by the security library breaking on certain images on the live server.
It looks like the problem was fixed from EE 2.5+. EE 2.4- has the issue.
Notably the lines in the Security.php file 606 & 614 have got appropriate regex escaping in EE 2.5+:
$attribs[] = preg_quote($attr[0], '/');When image meta data that contains forward slashes is run through the security filter preg_replace it needs those forward slashes escaped.
tiff:XResolution="1800000/10000"Upgrading solved the issue for myself and hopefully will work for you too 😉
Hi Stephen,
Thanks for the info and clarification!
Another instance where the problem indicated in the error line actually resides somewhere else.
Cheers,
Guess I’ll have o try the upgrade since my server is still reporting these errors under 2.4.0. The odd thing is that I get them on the first load of a page, but then they go away on refresh. Not sure if that has something to do with caching.
Hey Adam,
The odd thing is that I get them on the first load of a page, but then they go away on refresh. Not sure if that has something to do with caching.
Something is definitely getting “stuck” then. Have you cleared all of ExpressionEngine’s caches? Same experience in different browsers? Do you have any caching enable at the server level, outside of ExpressionEngine?
Cheers,
Dan, As noted by ‘stephenfrank’ the issue doesn’t surface for everyone because it has to due with the stuff that’s being passed to the method in the Security.php file. If the passed in string has a “/” in it then it’s not properly escaped and throws the notification error. In my case I think it’s image files being passed through by an image resizer add-on. As stephen noted they can have ‘/’ in the meta data. The error is actually a CI ‘core’ file (system/codeigniter/core/Security.php) and not the EE one. As he pointed out this file was updated on line 606 in the EE 2.5+ update. The original one in 2.4+ was:
$attribs[] = preg_quote($attr[0]);The new line is:
$attribs[] = preg_quote($attr[0], '/');It’s a subtle change, but that second param on the preg_quote() function ensures that ‘/’ in the passed in string are properly escaped. I actually changed that line (again just for testing) in my dev install of EE 2.4 and the notification errors immediately went away.
Hey Adam,
Thanks for laying it out for me! Had all the pieces, just didn’t complete the puzzle 😊
Is there anything else I can assist you with?
Cheers,
Nope Dan. As always you’ve been awesome. I wanted mainly to post the clarification for anyone else who may wander across this issue. Since it’s fixed in 2.5+ that is the solution.