Bug 373 – [Chameleon]Use of "Query" widget generates a PHP fatal error

Bug 373 - [Chameleon]Use of "Query" widget generates a PHP fatal error

Summary:

[Chameleon]Use of "Query" widget generates a PHP fatal error

Status:	CLOSED FIXED

Product:	Chameleon
Component:	Core
Version:	1.99
Platform:	PC Linux

Importance:	P2 critical
Target Milestone:	---
Assigned To:	chameleon-dev

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2004-05-07 15:50 by Normand Savard
Modified:	2004-05-26 09:56 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Normand Savard 2004-05-07 15:50:56

Use of "Query" widget generates a PHP fatal error

A PHP error is generated when executing a Query on the "sample_basic.phtml"
(select Sample using multi-state buttons" link) template.

Steps to reproduce:

1.  Load the template
2.  Click on "Identify Feature"
3.  Click on the map preview near Ottawa
4.  PHP error comes out.

Fedora Core 1
Mozilla 1.6
Chameleon tarball 20040506

-----------------------
PHP error:
[07-May-2004 15:40:17] PHP Fatal error:  Call to a member function on a
non-object in
/home/nsavard/proj/chameleon_cvs/htdocs/widgets/Query/QueryResults.phtml on line 465

------- Comment #1 From Paul Spencer 2004-05-18 15:27:35 -------

this happens under very specific circumstances:

in cwc2.xml set web_server_path to http://<ipadress>/...

then access apps via http://localhost/...

accessing via http://<ipaddress>/.. is okay, so is setting web_server_path to
/... (no http://<ipaddress>)

The error in QueryResults refers to the MLT object that *should* have been
created.  Investigating further.

------- Comment #2 From Normand Savard 2004-05-18 15:41:56 -------

accessing via http://<ipaddress>/ is working but it generates an Apache error
(see below).


Apache error:

[Tue May 18 15:38:24 2004] [error] [client 192.168.4.101] File does not exist:
/var/www/html/nsavard/chameleon_beta/widgets/images, referer:
http://192.168.4.101/nsavard/chameleon_beta/widgets/Query/QueryResults.phtml?
sid=40aa60d93c82f&RADIUS=3&FEATURE_COUNT=5&
include_empty=true&NAV_INPUT_COORDINATES=260,84

------- Comment #3 From Paul Spencer 2004-05-18 15:47:24 -------

a bit more info:

even though the app is accessed as http://localhost/... the url used to launch
the query popup is http://<ipaddress>/... which I think is causing the session
to invalidate because the IP address is different from the one that started it.

------- Comment #4 From Paul Spencer 2004-05-18 16:15:23 -------

fix applied to php_utils/src/session/session.php.  The code now explicitly tests
to see if the app was started from 127.0.0.1 and won't refuse to open the
session if the ipadress is different.  I assume that this does open a security
hole for hackers that try to steal sessions from people who are accessing apps
running on localhost, but in general this should not be the case on servers and
should only happen to people who are testing before deploying.

------- Comment #5 From Normand Savard 2004-05-26 09:28:32 -------

Verified on Linux.

------- Comment #6 From Darren Redfern 2004-05-26 09:56:04 -------

Verified on Windows. Closed.