Session and CSRF Token: PHP warning

dnutan · April 30, 2018, 4:59pm

On each server-manager page request, log reports:

PHP Warning: array_unshift() expects parameter 1 to be array, null given in /usr/share/nethesis/Nethgui/Utility/Session.php on line 246
PHP Warning: array_splice() expects parameter 1 to be array, null given in /usr/share/nethesis/Nethgui/Utility/Session.php on line 247

nethserver-httpd-admin-2.2.0-1.ns7.noarch
nethserver-httpd-3.2.0-1.ns7.noarch || nethserver-httpd-3.2.0-1.6.g9917897.ns7.noarch
nethserver-lib-2.2.7-1.ns7.noarch
nethserver-php-1.2.0-1.ns7.noarch

davidep · April 30, 2018, 5:18pm

You’re right, it’s the kind of mistake that origins from mixing Perl and PHP array programming

Workaround: downgrade nethserver-httpd-admin ?

davidep · May 2, 2018, 10:00am

The warning message is a symptom of a security regression that makes Server Manager sensible to CSRF attacks. Even if the vulnerability is hard to exploit the best thing to do is to log out from Server Manager and revert the last nethserver-httpd-admin update with the following command

yum --noplugins downgrade nethserver-httpd-admin-2.1.1

The regression is present in version 2.2.0 of nethserver-httpd-admin only. Previous releases are not affected.

For more information see

davidep · May 2, 2018, 10:15am

The fix is available from nethserver-testing repo /cc @quality_team

yum install http://packages.nethserver.org/nethserver/7.4.1708/testing/x86_64/Packages/nethserver-httpd-admin-2.2.0-1.1.g0defa76.ns7.noarch.rpm

davidep · May 2, 2018, 12:41pm

The fix has been released in nethserver-updates and sent to mirrors for synchronization:

yum clean all && yum update -y nethserver-httpd-admin-2.2.1

alefattorini · May 2, 2018, 1:29pm

Ehm 2 days fix? People be aware that 30 apr and 1 May are kind of vacation here in Italy
for @davidep

Open Source does not wait