Summary: | [Chameleon]Use of "Query" widget generates a PHP fatal error | ||
---|---|---|---|
Product: | Chameleon | Reporter: | Normand Savard <nsavard@mapgears.com> |
Component: | Core | Assignee: | chameleon-dev <chameleon-dev@lists.maptools.org> |
Status: | CLOSED FIXED | ||
Severity: | critical | ||
Priority: | P2 | ||
Version: | 1.99 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Linux | ||
Whiteboard: |
this happens under very specific circumstances: in cwc2.xml set web_server_path to http://<ipadress>/... then access apps via http://localhost/... accessing via http://<ipaddress>/.. is okay, so is setting web_server_path to /... (no http://<ipaddress>) The error in QueryResults refers to the MLT object that *should* have been created. Investigating further.
accessing via http://<ipaddress>/ is working but it generates an Apache error (see below). Apache error: [Tue May 18 15:38:24 2004] [error] [client 192.168.4.101] File does not exist: /var/www/html/nsavard/chameleon_beta/widgets/images, referer: http://192.168.4.101/nsavard/chameleon_beta/widgets/Query/QueryResults.phtml? sid=40aa60d93c82f&RADIUS=3&FEATURE_COUNT=5& include_empty=true&NAV_INPUT_COORDINATES=260,84
a bit more info: even though the app is accessed as http://localhost/... the url used to launch the query popup is http://<ipaddress>/... which I think is causing the session to invalidate because the IP address is different from the one that started it.
fix applied to php_utils/src/session/session.php. The code now explicitly tests to see if the app was started from 127.0.0.1 and won't refuse to open the session if the ipadress is different. I assume that this does open a security hole for hackers that try to steal sessions from people who are accessing apps running on localhost, but in general this should not be the case on servers and should only happen to people who are testing before deploying.
Verified on Linux.
Verified on Windows. Closed.