Log message:
Invalid argument supplied for foreach() in .../sites/all/modules/amazon_store/amazon_store.module on line 1073.

Location:
http://example.com.com/amazon_store/item/sites/all/modules/amazon_store/...
Referrer: http://www.aspiringarchitects.com/amazon_store/item/B002BDVUGM

Comments

iva2k’s picture

Title: nvalid argument supplied for foreach() in .../sites/all/modules/amazon_store/amazon_store.module on line 1073. » Invalid argument supplied for foreach() in .../sites/all/modules/amazon_store/amazon_store.module on line 1073.

This seems to go away once I applied patch #3 from #492460: Bad image path for shopping_cart.png, however I believe code in question still needs to be refined to avoid potential security risks.

rfay’s picture

Status: Active » Postponed (maintainer needs more info)

If you have a security concern, please be specific.

If you know how to demonstrate this error so it can be debugged, please say how.

iva2k’s picture

Status: Postponed (maintainer needs more info) » Active

I said "potential security risks"... note I did not raise it to critical, and if I found security issues, I would post to drupal security.

The point was that outside HTTP request with .../amazon_store/item/... URL triggers log message from PHP error. To demonstrate it, just give it the URL from the bug report: http: //example.com/amazon_store/item/sites/all/modules/amazon_store/images/1stars.gif. The errors were actually happening in drones just by browsing the store before I rolled the patch in #492460, since these requests were generated by the pages.

I felt it might be a potential door. I was taught to never trust outside data, and throwing errors on outside data smells like a security threat.

Upon closer inspection I confirmed that input to _amazon_store_iterate_offers() can be spoofed by an outside attacker using URL /amazon_store/items/... and DNS injection (there is an http request to amazon going out as a result, which can be intercepted and replaced). However, in 10 minutes I had I can't come up with an attack on the code in _amazon_store_iterate_offers() - it does not seem to have glaring security issues, but it does not prove there isn't.

As a precaution and to remove log pollution, I would change:

  foreach ($offers->Offer as $offer) {

to

  if (is_object($offers) && isset($offers->Offer)) foreach ($offers->Offer as $offer) {
rfay’s picture

Status: Active » Fixed

Thanks, I did take your advice on this.

Per #510980: Show friendly error message if user lands on amazon_store/item/XXX and it is no longer available from Amazon.com I'm going to try to improve behavior in general in this type of circumstance.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.