Task force TalkChess access

[flok]

I have not had a single '403 Forbidden' error on talkchess.com today, which is very unusual, as these past months I could virtually never connect. But I discovered something interesting. I took a look in the board's 'admin log', which lists the IP addresses from which the admin connects. This would obviously only be IP addresses that were not blocked. The interesting thing is that they are all different.

Since we are using CloudFlare as a proxy, I assume that all these IP addresses are form the CloudFlare server.

Never assume; run them through a 'whois' client.

At least 141.101.104.143 is cloudflare.

[hgm]

I managed to locate the PHP error log. It says

[Tue Sep 14 17:51:01.018714 2021] [php7:error] [pid 187669] [client 31.151.66.189:55094] PHP Fatal error: Uncaught Symfony\\Component\\DependencyInjection\\Exception\\ServiceNotFoundException: You have requested a non-existent service "derky.sortablescaptcha.captcha.sortables". in /var/www/html/tc/vendor/symfony/dependency-injection/Container.php:348\nStack trace:\n#0 /var/www/html/tc/phpbb/captcha/factory.php(48): Symfony\\Component\\DependencyInjection\\Container->get()\n#1 /var/www/html/tc/includes/acp/acp_captcha.php(157): phpbb\\captcha\\factory->get_instance()\n#2 /var/www/html/tc/includes/functions_module.php(676): acp_captcha->main()\n#3 /var/www/html/tc/adm/index.php(81): p_master->load_active()\n#4 {main}\n thrown in /var/www/html/tc/vendor/symfony/dependency-injection/Container.php on line 348, referer: http://212.114.109.12/tc/adm/index.php? ... 1bc1d52efc

Indeed /ext/derky/* is where I istalled the sortables captcha (compared to the phpBB root). So I suppose this is relevant.

[Guenther]

I managed to locate the PHP error log. It says

[Tue Sep 14 17:51:01.018714 2021] [php7:error] [pid 187669] [client 31.151.66.189:55094] PHP Fatal error: Uncaught Symfony\\Component\\DependencyInjection\\Exception\\ServiceNotFoundException: You have requested a non-existent service "derky.sortablescaptcha.captcha.sortables". in /var/www/html/tc/vendor/symfony/dependency-injection/Container.php:348\nStack trace:\n#0 /var/www/html/tc/phpbb/captcha/factory.php(48): Symfony\\Component\\DependencyInjection\\Container->get()\n#1 /var/www/html/tc/includes/acp/acp_captcha.php(157): phpbb\\captcha\\factory->get_instance()\n#2 /var/www/html/tc/includes/functions_module.php(676): acp_captcha->main()\n#3 /var/www/html/tc/adm/index.php(81): p_master->load_active()\n#4 {main}\n thrown in /var/www/html/tc/vendor/symfony/dependency-injection/Container.php on line 348, referer: http://212.114.109.12/tc/adm/index.php? ... 1bc1d52efc

Indeed /ext/derky/* is where I istalled the sortables captcha (compared to the phpBB root). So I suppose this is relevant.

https://www.phpbb.com/community/viewtopic.php?t=2408896

[hgm]

OK, this problem is solved now. The final step to make it work was disable the sortables captcha in the extensions manager, and then enable it again. There might have been another problem that contributed (which I had solved before), which was that I had forgotten to transfer ownership of the captcha files from root to www-data after installing the files.

[hgm]

The only remaining problem I am aware of now is that the polls still do not work. So I would like to debug that.

What I could figure out so far is that topics that contain a poll display this poll as a HTML 'form' containing some radio button 'input' elements, and a 'submit' button:

Code: Select all

<form method="post" action="./viewtopic.php?f=2&t=78124" data-ajax="vote_poll" data-refresh="true" class="topic_poll">

	<div class="panel">
		<div class="inner">

		<div class="content">
			<h2 class="poll-title">How do you think this forum works</h2>
			<p class="author"><span class="poll_max_votes">You may select <strong>1</strong> option</span></p>

			<fieldset class="polls">
											<dl class="" data-alt-text="You voted for this option" data-poll-option-id="1">
					<dt><label for="vote_1">Great</label></dt>
					<dd style="width: auto;" class="poll_option_select"><input type="radio" name="vote_id[]" id="vote_1" value="1" /></dd>					<dd class="resultbar hidden"><div class="pollbar1" style="width:0%;">0</div></dd>
					<dd class="poll_option_percent hidden">No votes</dd>
				</dl>
															<dl class=" most-votes" data-alt-text="You voted for this option" data-poll-option-id="2">
					<dt><label for="vote_2">OK</label></dt>
					<dd style="width: auto;" class="poll_option_select"><input type="radio" name="vote_id[]" id="vote_2" value="2" /></dd>					<dd class="resultbar hidden"><div class="pollbar3" style="width:100%;">1</div></dd>
					<dd class="poll_option_percent hidden">50%</dd>
				</dl>
															<dl class=" most-votes" data-alt-text="You voted for this option" data-poll-option-id="3">
					<dt><label for="vote_3">So So</label></dt>
					<dd style="width: auto;" class="poll_option_select"><input type="radio" name="vote_id[]" id="vote_3" value="3" /></dd>					<dd class="resultbar hidden"><div class="pollbar3" style="width:100%;">1</div></dd>
					<dd class="poll_option_percent hidden">50%</dd>
				</dl>
															<dl class="" data-alt-text="You voted for this option" data-poll-option-id="4">
					<dt><label for="vote_4">Poorly</label></dt>
					<dd style="width: auto;" class="poll_option_select"><input type="radio" name="vote_id[]" id="vote_4" value="4" /></dd>					<dd class="resultbar hidden"><div class="pollbar1" style="width:0%;">0</div></dd>
					<dd class="poll_option_percent hidden">No votes</dd>
				</dl>
															<dl class="" data-alt-text="You voted for this option" data-poll-option-id="5">
					<dt><label for="vote_5">Disastrous</label></dt>
					<dd style="width: auto;" class="poll_option_select"><input type="radio" name="vote_id[]" id="vote_5" value="5" /></dd>					<dd class="resultbar hidden"><div class="pollbar1" style="width:0%;">0</div></dd>
					<dd class="poll_option_percent hidden">No votes</dd>
				</dl>
							
				<dl class="poll_total_votes hidden">
					<dt> </dt>
					<dd class="resultbar">Total votes: <span class="poll_total_vote_cnt">2</span></dd>
				</dl>

							<dl style="border-top: none;" class="poll_vote">
					<dt> </dt>
					<dd class="resultbar"><input type="submit" name="update" value="Submit vote" class="button1" /></dd>
				</dl>
			
							<dl style="border-top: none;" class="poll_view_results">
					<dt> </dt>
					<dd class="resultbar"><a href="./viewtopic.php?f=2&t=78124&view=viewpoll">View results</a></dd>
				</dl>
						</fieldset>
			<div class="vote-submitted hidden">Your vote has been cast.</div>
		</div>

		</div>
		<input type="hidden" name="creation_time" value="1631692725" />
<input type="hidden" name="form_token" value="97a1e07fdb3d1b759d10ce475c71cd607a9bffe4" />

		
	</div>

	</form>

The form 'action' (presumably triggered by pressing the submit button) uses the same URL as for the page that displayed the poll, but can probably be recognized from the fact that it uses a POST method to access the server, rather than the normal GET. This should trigger the PHP script it invokes (viewtopic.php) into processing the vote. This apparently doesn't always work.

Now the problem is that I don't speak PHP. So I could use the help of someone who does, in order to suggest where I could slip in some statements that would provide debug output in this viewtopic.php script, to diagnose what is going on. This script can be seen at https://github.com/phpbb/phpbb/blob/mas ... wtopic.php .

[smatovic]

You can print arrays and variables with

print_r($var);

in PHP.

Maybe some database flags in the user|group|acl ('f_poll' flag) are broken by updates in the past?

--
Srdja

[hgm]

But where would that be printed? In some file on the server? Or would it be sent to the client? And do you have any idea which section of viewtopic.php is responsible for processing the vote?

[smatovic]

But where would that be printed? In some file on the server? Or would it be sent to the client? And do you have any idea which section of viewtopic.php is responsible for processing the vote?

As long as the print_r comes after the http header it will printed by PHP into the HTML document, somewhere on the screen. Maybe put an

echo "my debug:";

before the print_r to find it.

If you are in mixed HTML and PHP mode you can use:

<?php

echo "my debug:";
print_r($var);

?>

I guess it is an database flag issue, cos some users can vote, some not, hence the scripts themselves seem to work. I will take a look into v3.3.4 and maybe figure some SQL commands for you to check if a user has the right to poll - just guessing.

--
Srdja

[smatovic]

But where would that be printed? In some file on the server? Or would it be sent to the client? And do you have any idea which section of viewtopic.php is responsible for processing the vote?

As long as the print_r comes after the http header it will printed by PHP into the HTML document, somewhere on the screen. Maybe put an

echo "my debug:";

before the print_r to find it.

If you are in mixed HTML and PHP mode you can use:

<?php

echo "my debug:";
print_r($var);

?>

I guess it is an database flag issue, cos some users can vote, some not, hence the scripts themselves seem to work. I will take a look into v3.3.4 and maybe figure some SQL commands for you to check if a user has the right to poll - just guessing.

--
Srdja

The users seem to have the right to vote according to viewtopic.php $s_can_vote defined in line 907, hence I should debug how the vote is piped through the scripts into the database, but according to Ed's recent posting Quentin seems not ok with the clone, so I will stop working on it for now until there is some kind of agreement between the founders resp. green light from Quentin.

--
Srdja

[hgm]

Well, Ed's fake news is doing a lot of damage. In fact Quentin has no objection at all against the TalkChess poll function getting fixed. And it makes absolutely no sense that he should.

BTW, looking at the code I noticed there is a variable $update, which is used in conjuction with $s_can_vote to decide whether the code for updating the vote counts should be executed. It seems to be initialized from a CGI argument, defaulting to false. When I append "&update=true" to the URL for showing the poll, indeed something happens: I don't get to see the poll. Instead I get an error page that complains no options were ticked. Which is no doubt a consequence of that I wasn't really submitting a form (so no values for voted_id).

It this a standard CGI parameter that always gets set to true by the browser whenever you submit a form? I notice that the 'action' that is specified for the form (shown in an earlier posting) is an URL that doesn't contain the update=true parameter. Can this be the cause of the problem? Note that the shown HTML is just the page source of the page that was shown to me; other people might see a page that does have the update=true in the action, and these would then be able to vote. If this is the case, we would have to look at the script that prepares this page. (Which also is viewtopic.php, but a different section of code.)