$_REQUEST gathers unwanted information from other apps setting domain-wide cookies

[WillyPs]

I have a WikkaWiki 1.1.6.4 setup on the same domain as a blog, the blog (nucleus cms) sets a cookie named 'user', content is 'Shirl' (my wife's user name on the blog). Wikka reads this and appends it to the messages produced by the RecentComments and the RecentlyCommented actions. So the message becomes 'There are no recently commented pages by Shirl.', even though there are in fact recently commented pages. Deleting this cookie allows the RecentlyCommented and RecentComments actions to work correctly. Wikka's cookie suffix is set in the config as '@wikkastyle', and Wikka does in fact set two cookies using this suffix.

Related Ticket

#312

[DarTar]

RecentlyCommenter reads $_REQUEST['user'] which obviously includes the content of $_COOKIE. Wikka's cookies are correctly prefixed but in some cases the path may not be correctly represented, which I think is the cause of your issue (can you confirm?).

This is a known issue and has been already patched in trunk (see #592), maybe we could port it to the forthcoming 1.1.6.5 bugfix release?

[WillyPs]

In firefox, looking at the cookies, the path for all the cookies from www.shirlsworld.net is '/'. Is that what you mean by confirm?

But I don't understand why wikka would pass the info in any cookie to the action. I did not request recent comments by any particular users.

[BrianKoontz]

WillyPs, both actions use $_REQUEST['user'] to set $username.

I applied the changes made in #592 to Wakka.class.php, and discovered that despite my best intentions, a cookie named "user" with a path of "/" is ALWAYS read by PHP, and $_REQUEST['user'] is set to its value (thereby confirming WillyPs' issue). So I don't believe simply setting the correct path (as is done in #592) is the solution to the problem. What is needed is a way to restrict Wikka to reading only those cookies that are domain- and path-specific to the instance that's trying to access the cookie, and to ignore all other cookies (esp. those with paths that are set to "/").

I don't believe there's a way in PHP4 to do this (PHP5 does support parsing of HTTP headers, which is probably what is needed to check for cookie paths).

[WillyPs]

So perhaps the action should be separated into two, one that would read comments by everyone, ie, take out $_REQUESTuser?, and another that would read only comments from the current user?

Or perhaps $username could be passed from the page: default to all, or specify a user when the action is called, like {{RecentlyCommented by="current"}} or {{RecentlyCommented by="WillyPs"}} but not using $_REQUESTuser? at all? According to the docs, there is no parameters for either action.

[BrianKoontz]

Tentative fix: change $_REQUEST to $_GET in recentcomments and recentlycommented. Only affected action appears to be adminusers.php (will be modified to accommodate above changes).

[NilsLindenberg]

This ticket again shows the necessity to avoid using $_REQUEST.

[BrianKoontz]

(In [1096]) Changed _REQUESTs to _GETs, updated phpdoc headers. Refs #748.