A cookie pair named `username` and `password` will prevent logging in

[ozh]

YOURLS stores credentials (hashed login / password) in a uniquely named cookie, something like yourls_75715761fe7da[...]199e566c53f27eeb, see yourls_store_cookie().

Yet, if two cookies named username and password are present, it makes logging in impossible

Most likely this is because we're loosely checking $_REQUEST (here for instance) which can contain $_GET, $_POST... and $_COOKIE.

$_REQUEST is thoroughly used across YOURLS, maybe we should introduce a function to fetch $_GET or $_POST but not those darn cookies.

Possible references: #3382, #3087, #3351

[ozh]

Note that this is server dependent : this depends on variables_order or request_order. Default is EGPCS (Environment, Get, Post, Cookie, and Server) but many host restrict this to only GP.

[ozh]

Current state of mind : in yourls_fix_request_uri() we could simply toss a $_REQUEST = array_merge( $_GET, $_POST ); to always ignore cookies, env and server, no matter what the php.ini config

@LeoColomb you think that would have side effect on Docker?

---

YOURLS/includes/functions.php

Lines 1019 to 1060 in 16be4c3

	function yourls_fix_request_uri() {
	$default_server_values = [
	'SERVER_SOFTWARE' => '',
	'REQUEST_URI' => '',
	];
	$_SERVER = array_merge( $default_server_values, $_SERVER );
	// Fix for IIS when running with PHP ISAPI
	if ( empty( $_SERVER[ 'REQUEST_URI' ] ) || ( php_sapi_name() != 'cgi-fcgi' && preg_match( '/^Microsoft-IIS\//', $_SERVER[ 'SERVER_SOFTWARE' ] ) ) ) {
	// IIS Mod-Rewrite
	if ( isset( $_SERVER[ 'HTTP_X_ORIGINAL_URL' ] ) ) {
	$_SERVER[ 'REQUEST_URI' ] = $_SERVER[ 'HTTP_X_ORIGINAL_URL' ];
	}
	// IIS Isapi_Rewrite
	elseif ( isset( $_SERVER[ 'HTTP_X_REWRITE_URL' ] ) ) {
	$_SERVER[ 'REQUEST_URI' ] = $_SERVER[ 'HTTP_X_REWRITE_URL' ];
	}
	else {
	// Use ORIG_PATH_INFO if there is no PATH_INFO
	if ( !isset( $_SERVER[ 'PATH_INFO' ] ) && isset( $_SERVER[ 'ORIG_PATH_INFO' ] ) ) {
	$_SERVER[ 'PATH_INFO' ] = $_SERVER[ 'ORIG_PATH_INFO' ];
	}
	// Some IIS + PHP configurations puts the script-name in the path-info (No need to append it twice)
	if ( isset( $_SERVER[ 'PATH_INFO' ] ) ) {
	if ( $_SERVER[ 'PATH_INFO' ] == $_SERVER[ 'SCRIPT_NAME' ] ) {
	$_SERVER[ 'REQUEST_URI' ] = $_SERVER[ 'PATH_INFO' ];
	}
	else {
	$_SERVER[ 'REQUEST_URI' ] = $_SERVER[ 'SCRIPT_NAME' ].$_SERVER[ 'PATH_INFO' ];
	}
	}
	// Append the query string if it exists and isn't null
	if ( !empty( $_SERVER[ 'QUERY_STRING' ] ) ) {
	$_SERVER[ 'REQUEST_URI' ] .= '?'.$_SERVER[ 'QUERY_STRING' ];
	}
	}
	}
	}

[LeoColomb]

The less it relies on host env and the more it relies on http requests parameters, the better it's going to be for Docker usage.
So far I can't see how your suggestion can degrade anything for Docker usage. 😊

[dgw]

Is there a reason to use $_REQUEST instead of the more specific arrays? If the code is always looking for a GET var, for example, why not have it look in $_GET?

[ozh]

@dgw sometimes the same code can be used under GET or POST, so I took the lazy way

[dgw]

To me, that makes a case for tightening up which request methods are allowed for each function/endpoint, but… yeah, I get it. Overriding $_REQUEST at least prevents unintentional crossover now and it's still possible to decide to make accesses more specific in a later refactor. Or maybe v2 will just make it all go away. (@LeoColomb? 😹)

[LeoColomb]

Or maybe v2 will just make it all go away. (@LeoColomb? 😹)

It certainly will! 😄
Did you give it a try?

---

I agree with the rest. 🙂

[NoxInmortus]

Hello! Any estimation on this ?
Thanks