Crash when displaying member list / usermgr.php bug Crash when displaying member list / usermgr.php bug
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Crash when displaying member list / usermgr.php bug

Started by 406man, October 30, 2023, 03:00:27 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

406man

Introduction to the fault
My gallery allows logged-in users to display the member list (by running usermgr.php). I was horrified to find that this function crashed in my live system when trying to run it, giving a blank white screen. It must have been like this for several months (since my system was moved to a different server) but the fault hadn't been reported to me and I hadn't noticed it because I only rarely use the function. When I do use it, I'm logged in as an administrator and it worked fine in administrator mode.

If you're interested in the details of what I found read on.... If not, jump to the summary at the end.

Diagnosing the Fault

As I only have restricted unprivileged access to my live system I tried to reproduce the problem in my development environment but it worked fine – or so I thought initially. This meant it would be awkward to diagnose in my live system because I have limited access.

Initially I tried adding error_log calls to a temporary version of usermgr.php so I could generate traces in the php log file and see how far it got before failing. However, when I made the code changes and tested it in my development environment some of the traces did not appear. This seemed very odd and I didn't understand how that could happen.

To find out what was going on I ran the script to trigger the Xdebug debugger, at which point things became clearer. Various PHP errors were caught and I could see there was PHP code which my environment did not like. These errors were hiding other problems. The truly bizarre behaviour was that when I fixed the PHP problems  the user list was displayed twice !!!

Cutting directly to the fault, in usermgr.php   line 35 is:

$  show_memberlist;   

This calls function show_memberlist and generates a PHP warning as the syntax should be:

$  show_memberlist();  

The function $  show_memberlist   uses global variables $CONFIG and $lang_usermgr_php
These were not declared as globals and were therefore undefined which caused more problems. 

Once I fixed these faults the code ran without crashing but I got two copies of the user list.
Therefore, what I did was to completely remove the call to

$  show_memberlist;  

Once I did this, everything worked correctly in my test and live environments.

My live system runs PHP 8.2.12  and  CPG 1.6.25  and my development system 7.4.33 with CPG 1.6.25    I accept that it's poor practice to develop in an environment that uses an older version of PHP than the live. My excuse is that I only discovered the use of PHP 8.2.12 when debugging this problem – my live system had previously been using PHP 7.4.x and had been upgraded without me being aware, probably when the system was moved to a new live environment in August.
My hosting company's PHP 8 settings are more strict than in my PHP 7 development environment. The warnings were tolerated in my development system but the live system crashed. What's behind this is that newer PHP versions are progressively less tolerant of errors and will cause a crash in circumstances where older versions carried on. I use the WAMP Server development environment and when I switched the PHP version to 8.2.0 was able to reproduce the crash when displaying the member list.

For those who are unaware, you can display PHP information for your system by logging in to Coppermine as an administrator and then running phpinfo.php in the main Coppermine directory from the web browser.

Summary
This is partly a PHP 8 related problem and partly involving coding bugs that had remained hidden.

Summarising: to fix this crashing fault in PHP 8, the call to show_memberlist at line 35 of usermgr,php should be removed, along with the whole of function show_memberlist from line 47 onwards.