Jump to content

Request was forged after upgrade to PHP 8.1


Beluga
 Share

Recommended Posts

I upgraded my Arch Linux (from PHP 7.4 era) and manually updated to PW 3.0.184 (including index.php). Now I can't log in.

#0 /var/www/mysite/pw/wire/modules/Inputfield/InputfieldForm.module(186): ProcessWire\SessionCSRF->validate()
#1 /var/www/mysite/pw/wire/core/Wire.php(417): ProcessWire\InputfieldForm->___processInput(Object(ProcessWire\WireInputData))
#2 /var/www/mysite/pw/wire/core/WireHooks.php(951): ProcessWire\Wire->_callMethod('___processInput', Array)
#3 /var/www/mysite/pw/wire/core/Wire.php(485): ProcessWire\WireHooks->runHooks(Object(ProcessWire\InputfieldForm), 'processInput', Array)
#4 /var/www/mysite/pw/wire/modules/Process/ProcessLogin/ProcessLogin.module(364): ProcessWire\Wire->__call('processInput', Array)
#5 /var/www/mysite/pw/wire/core/Wire.php(414): ProcessWire\ProcessLogin->___execute()
#6 /var/www/mysite/pw/wire/core/WireHooks.php(951): ProcessWire\Wire->_callMethod('___execute', Array)
#7 /var/www/mysite/pw/wire/core/Wire.php(485): ProcessWire\WireHooks->runHooks(Object(ProcessWire\ProcessLogin), 'execute', Array)
#8 /var/www/mysite/pw/wire/core/ProcessController.php(337): ProcessWire\Wire->__call('execute', Array)
#9 /var/www/mysite/pw/wire/core/Wire.php(414): ProcessWire\ProcessController->___execute()
#10 /var/www/mysite/pw/wire/core/WireHooks.php(951): ProcessWire\Wire->_callMethod('___execute', Array)
#11 /var/www/mysite/pw/wire/core/Wire.php(485): ProcessWire\WireHooks->runHooks(Object(ProcessWire\ProcessController), 'execute', Array)
#12 /var/www/mysite/pw/wire/core/admin.php(160): ProcessWire\Wire->__call('execute', Array)
#13 /var/www/mysite/pw/wire/modules/AdminTheme/AdminThemeDefault/controller.php(13): require('/var/www/mysite...')
#14 /var/www/mysite/pw/site/assets/cache/FileCompiler/site/templates/admin.php(15): require('/var/www/mysite...')
#15 /var/www/mysite/pw/wire/core/TemplateFile.php(327): require('/var/www/mysite...')
#16 /var/www/mysite/pw/wire/core/Wire.php(414): ProcessWire\TemplateFile->___render()
#17 /var/www/mysite/pw/wire/core/WireHooks.php(951): ProcessWire\Wire->_callMethod('___render', Array)
#18 /var/www/mysite/pw/wire/core/Wire.php(485): ProcessWire\WireHooks->runHooks(Object(ProcessWire\TemplateFile), 'render', Array)
#19 /var/www/mysite/pw/wire/modules/PageRender.module(554): ProcessWire\Wire->__call('render', Array)
#20 /var/www/mysite/pw/wire/core/Wire.php(417): ProcessWire\PageRender->___renderPage(Object(ProcessWire\HookEvent))
#21 /var/www/mysite/pw/wire/core/WireHooks.php(951): ProcessWire\Wire->_callMethod('___renderPage', Array)
#22 /var/www/mysite/pw/wire/core/Wire.php(485): ProcessWire\WireHooks->runHooks(Object(ProcessWire\PageRender), 'renderPage', Array)
#23 /var/www/mysite/pw/wire/core/WireHooks.php(1059): ProcessWire\Wire->__call('renderPage', Array)
#24 /var/www/mysite/pw/wire/core/Wire.php(485): ProcessWire\WireHooks->runHooks(Object(ProcessWire\Page), 'render', Array)
#25 /var/www/mysite/pw/wire/modules/Process/ProcessPageView.module(225): ProcessWire\Wire->__call('render', Array)
#26 /var/www/mysite/pw/wire/modules/Process/ProcessPageView.module(171): ProcessWire\ProcessPageView->renderPage(Object(ProcessWire\Page))
#27 /var/www/mysite/pw/wire/core/Wire.php(417): ProcessWire\ProcessPageView->___execute(true)
#28 /var/www/mysite/pw/wire/core/WireHooks.php(951): ProcessWire\Wire->_callMethod('___execute', Array)
#29 /var/www/mysite/pw/wire/core/Wire.php(485): ProcessWire\WireHooks->runHooks(Object(ProcessWire\ProcessPageView), 'execute', Array)
#30 /var/www/mysite/pw/index.php(55): ProcessWire\Wire->__call('execute', Array)
#31 {main}

If I add these to site/config.php

$config->protectCSRF = false;
$config->sessionChallenge = false;
$config->sessionFingerprint = false;

I get

Fatal error: Uncaught Error: Class "ProcessWire\WireHttp" not found in /var/www/mysite/pw/wire/core/WireShutdown.php:396 Stack trace: #0 /var/www/mysite/pw/wire/core/WireShutdown.php(581): ProcessWire\WireShutdown->sendFatalHeader() #1 [internal function]: ProcessWire\WireShutdown->shutdown() #2 {main} thrown in /var/www/mysite/pw/wire/core/WireShutdown.php on line 396

What to try next?

session.save_path is /tmp

php-fpm and Caddy are in use.

FileCompiler and session caches have been deleted.

Cookies have been cleared.

I also had to delete WireMailSmtp module due to

Compile Error: Declaration of WireMailSmtp::attachment($filename) must be compatible with WireMail::attachment($value, $filename = '') (line 557 of site/modules/WireMailSmtp/WireMailSmtp.module)

but now it keeps haunting me with the same error, if I try to log in with those CSRF config changes.

Link to comment
Share on other sites

What could be helping here is the PHP logs. From experience when you do an upgrade after verifying compatibilties, issues can arise from access permissions.

 

1. empty manually the mysql table session_login_throttle

2. get php version (php8 got patched last month, addressing an issue in session serialization, might not be related)

php -v
... paste output
php -m
... paste output (you should check that every mod required by processwire is installed)

3. reload caddy 

sudo systemctl caddy reload

4. verify php-fpm

sudo systemctl status php8.1-fpm
... paste output

5. check the logs

cat /var/log/fpm-php.log
... paste output

 

Link to comment
Share on other sites

Thanks for the help.

Quote

1. empty manually the mysql table session_login_throttle

USE mydb;
TRUNCATE session_login_throttle;
Query OK, 0 rows affected (0.003 sec)
Quote

2. get php version

PHP 8.1.2 (cli) (built: Jan 19 2022 17:12:32) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.2, Copyright (c) Zend Technologies
   with Zend OPcache v8.1.2, Copyright (c), by Zend Technologies
[PHP Modules]
Core
ctype
curl
date
dom
exif
fileinfo
filter
gd
hash
iconv
intl
json
libxml
mbstring
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
Phar
posix
readline
Reflection
session
SimpleXML
SPL
standard
tokenizer
xml
xmlreader
xmlwriter
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache

Caddy server was reloaded.

Quote

4. verify php-fpm

● php-fpm.service - The PHP FastCGI Process Manager
    Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; enabled; vendor preset: disabled)
    Active: active (running) since Tue 2022-02-08 08:55:17 EET; 4h 16min ago
  Main PID: 316 (php-fpm)
    Status: "Processes active: 0, idle: 9, Requests: 138, slow: 0, Traffic: 0req/sec"
     Tasks: 10 (limit: 4664)
    Memory: 188.3M
       CPU: 1min 6.779s
    CGroup: /system.slice/php-fpm.service
            ├─   316 "php-fpm: master process (/etc/php/php-fpm.conf)"
            ├─   534 "php-fpm: pool www"
            ├─   535 "php-fpm: pool www"
            ├─   536 "php-fpm: pool www"
            ├─   537 "php-fpm: pool www"
            ├─   538 "php-fpm: pool www"
            ├─   539 "php-fpm: pool www"
            ├─   540 "php-fpm: pool www"
            ├─   541 "php-fpm: pool www"
            └─138176 "php-fpm: pool www"
Quote

5. check the logs

[08-Feb-2022 08:54:19] NOTICE: Terminating ...
[08-Feb-2022 08:54:20] NOTICE: exiting, bye-bye!
[08-Feb-2022 08:55:17] NOTICE: fpm is running, pid 316
[08-Feb-2022 08:55:17] NOTICE: ready to handle connections
[08-Feb-2022 08:55:17] NOTICE: systemd monitor interval set to 10000ms
Link to comment
Share on other sites

3 hours ago, flydev ?? said:

I missed the point you are using caddy. You can also show us the webserver error.log, php.log and an output of phpinfo().

I'll have to look into the error stuff later as I don't have it figured out with Caddy.

Here is the beginning of phpinfo with what I think are the interesting bits:

 

Spoiler
System Linux ns380372 5.16.7-arch1-1 #1 SMP PREEMPT Sun, 06 Feb 2022 16:47:29 +0000 x86_64
Build Date Jan 19 2022 17:12:32
Build System Linux pierre 5.16.1-arch1-1 #1 SMP PREEMPT Sun, 16 Jan 2022 11:39:23 +0000 x86_64 GNU/Linux
Configure Command './configure' '--srcdir=../php-8.1.2' '--config-cache' '--prefix=/usr' '--sbindir=/usr/bin' '--sysconfdir=/etc/php' '--localstatedir=/var' '--with-layout=GNU' '--with-config-file-path=/etc/php' '--with-config-file-scan-dir=/etc/php/conf.d' '--disable-rpath' '--mandir=/usr/share/man' '--disable-gcc-global-regs' '--enable-cgi' '--enable-fpm' '--with-fpm-systemd' '--with-fpm-acl' '--with-fpm-user=http' '--with-fpm-group=http' '--enable-embed=shared' '--enable-bcmath=shared' '--enable-calendar=shared' '--enable-dba=shared' '--enable-exif=shared' '--enable-ftp=shared' '--enable-gd=shared' '--enable-intl=shared' '--enable-mbstring' '--enable-pcntl' '--enable-shmop=shared' '--enable-soap=shared' '--enable-sockets=shared' '--enable-sysvmsg=shared' '--enable-sysvsem=shared' '--enable-sysvshm=shared' '--with-bz2=shared' '--with-curl=shared' '--with-db4=/usr' '--with-enchant=shared' '--with-external-gd' '--with-external-pcre' '--with-ffi=shared' '--with-gdbm' '--with-gettext=shared' '--with-gmp=shared' '--with-iconv=shared' '--with-imap-ssl' '--with-imap=shared' '--with-kerberos' '--with-ldap=shared' '--with-ldap-sasl' '--with-mhash' '--with-mysql-sock=/run/mysqld/mysqld.sock' '--with-mysqli=shared,mysqlnd' '--with-openssl' '--with-password-argon2' '--with-pdo-dblib=shared,/usr' '--with-pdo-mysql=shared,mysqlnd' '--with-pdo-odbc=shared,unixODBC,/usr' '--with-pdo-pgsql=shared' '--with-pdo-sqlite=shared' '--with-pgsql=shared' '--with-pspell=shared' '--with-readline' '--with-snmp=shared' '--with-sodium=shared' '--with-sqlite3=shared' '--with-tidy=shared' '--with-unixODBC=shared' '--with-xsl=shared' '--with-zip=shared' '--with-zlib' 'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -flto' 'CXXFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -Wp,-D_GLIBCXX_ASSERTIONS -flto'
Server API FPM/FastCGI
Virtual Directory Support disabled
Configuration File (php.ini) Path /etc/php
Loaded Configuration File /etc/php/php.ini
Scan this dir for additional .ini files /etc/php/conf.d
Additional .ini files parsed /etc/php/conf.d/imagick.ini
PHP API 20210902
PHP Extension 20210902
Zend Extension 420210902
Zend Extension Build API420210902,NTS
PHP Extension Build API20210902,NTS
Debug Build no
Thread Safety disabled
Zend Signal Handling enabled
Zend Memory Manager enabled
Zend Multibyte Support provided by mbstring
IPv6 Support enabled
DTrace Support disabled
Registered PHP Streams https, ftps, compress.zlib, php, file, glob, data, http, ftp, phar, zip
Registered Stream Socket Transports tcp, udp, unix, udg, ssl, tls, tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3
Registered Stream Filters zlib.*, string.rot13, string.toupper, string.tolower, convert.*, consumed, dechunk, convert.iconv.*
This program makes use of the Zend Scripting Language Engine:
Zend Engine v4.1.2, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.2, Copyright (c), by Zend Technologies

Configuration

cgi-fcgi

php-fpm active
Directive Local Value Master Value
cgi.discard_path Off Off
cgi.fix_pathinfo Off Off
cgi.force_redirect On On
cgi.nph Off Off
cgi.redirect_status_env no value no value
cgi.rfc2616_headers Off Off
fastcgi.error_header no value no value
fastcgi.logging On On
fpm.config no value no value

Core

PHP Version 8.1.2
Directive Local Value Master Value
allow_url_fopen On On
allow_url_include Off Off
arg_separator.input & &
arg_separator.output & &
auto_append_file no value no value
auto_globals_jit On On
auto_prepend_file no value no value
browscap no value no value
default_charset UTF-8 UTF-8
default_mimetype text/html text/html
disable_classes no value no value
disable_functions no value no value
display_errors Off Off
display_startup_errors Off Off
doc_root no value no value
docref_ext no value no value
docref_root no value no value
enable_dl Off Off
enable_post_data_reading On On
error_append_string no value no value
error_log no value no value
error_prepend_string no value no value
error_reporting 32767 22527
expose_php On On
extension_dir /usr/lib/php/modules/ /usr/lib/php/modules/
fiber.stack_size no value no value
file_uploads On On
hard_timeout 2 2
highlight.comment #FF8000 #FF8000
highlight.default #0000BB #0000BB
highlight.html #000000 #000000
highlight.keyword #007700 #007700
highlight.string #DD0000 #DD0000
html_errors On On
ignore_repeated_errors Off Off
ignore_repeated_source Off Off
ignore_user_abort Off Off
implicit_flush Off Off
include_path .: .:
input_encoding no value no value
internal_encoding no value no value
log_errors On On
mail.add_x_header On On
mail.force_extra_parameters no value no value
mail.log no value no value
max_execution_time 10000 10000
max_file_uploads 1 1
max_input_nesting_level 64 64
max_input_time -1 -1
max_input_vars 1000 1000
memory_limit 4096M 4096M
open_basedir no value no value
output_buffering 4096 4096
output_encoding no value no value
output_handler no value no value
post_max_size 3000M 3000M
precision 14 14
realpath_cache_size 4096K 4096K
realpath_cache_ttl 120 120
register_argc_argv Off Off
report_memleaks On On
report_zend_debug Off Off
request_order GP GP
sendmail_from no value no value
sendmail_path /usr/sbin/sendmail -t -i /usr/sbin/sendmail -t -i
serialize_precision 17 17
short_open_tag On On
SMTP localhost localhost
smtp_port 25 25
sys_temp_dir no value no value
syslog.facility LOG_USER LOG_USER
syslog.filter no-ctrl no-ctrl
syslog.ident php php
unserialize_callback_func no value no value
upload_max_filesize 2048M 2048M
upload_tmp_dir no value no value
user_dir no value no value
user_ini.cache_ttl 300 300
user_ini.filename .user.ini .user.ini
variables_order GPCS GPCS
xmlrpc_error_number 0 0
xmlrpc_errors Off Off
zend.assertions -1 -1
zend.detect_unicode On On
zend.enable_gc On On
zend.exception_ignore_args Off Off
zend.exception_string_param_max_len 15 15
zend.multibyte Off Off
zend.script_encoding no value no value
zend.signal_check Off Off

ctype

ctype functions enabled

 

 
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...