hey,

I had the same problems like you and the given hints didn't worked at my system, but now it's working fine.
I have a working fix for the problem.

Just install the attached patch and it's should work.


greetz firediver

I commented out cbRegAntiSpamCheck() and was able to leave the registration screen open for an hour and still successfully register a test user. Here's some info:

PHP built On: Linux web1.nodid.net 2.6.9-42.0.8.ELsmp #1 SMP Tue Jan 23 13:01:26 EST 2007 i686
Database Version: 4.1.20
PHP Version: 4.3.9
Web Server: Apache/2.0.52 (CentOS)
WebServer to PHP interface: apache2handler
Joomla! Version: Joomla! 1.0.12 Stable [ Sunfire ] 25 December 2006 01:00 UTC

Post edited by: Raj, at: 2007/03/20 17:40

@all

The problem is related to the Harding Patch for PHP.

The following 2 parameters have to be increased in your php.ini (defaults are 64):

hphp.post.max_name_length = 150;
hphp.request.max_varname_length = 150;

You will have to contact your provider, if you don't have access to your php.ini file.
Or you can place a (complete) php.ini file all of your directories.

Take a look in Joomla! Backend in menu System > System Info > [PHP Info] and check out your actual values (Section: Hardening-Patch's variable filter support).

Hope this helps. My provider changed the values above and everything works now. There was no change of CB needed.

JoomlaZ

Hi,
i got something figured out to solve the problem for users who are not able to edit the values in the php.ini.

I read about the problem, that was based on the length of the values been posted. Therefore i searched for the spoof functions an edited them in a way i think should do better than commenting them out. I finally found it in the "comprofiler.class.php" on line 1925. There are two functions "cbGetSpoofInputTag", which defines the spoof protection word, and the "cbSpoofCheck", which checks if the user has posted some valid value.
Now the "only" think you have to do is change the word being posted by the "cbGetSpoofInputTag" and the word being received by the "cbSpoofCheck" into a word that is short enought to fit with your server settings.

I did replace the [code:1]$validate = 'cbj' . md5( $mainframe->getCfg('secret')) . md5( $mainframe->getCfg( 'db' ) . date( 'dmY' ) );[/code:1]
by a shorter one like
[code:1]$validate = 'cbj' . md5( $mainframe->getCfg('secret').$mainframe->getCfg( 'db' ).date( 'dmY' ) );[/code:1]

For me it works fine.

EDIT: You can find the file "comprofiler.class.php" in the "administrator\components\com_comprofiler" directory

Ahh and a big thx to this amazing tool

Post edited by: nightlord, at: 2007/04/08 09:22

Post edited by: nightlord, at: 2007/04/08 09:25

nightlord wrote:
Worked fine for me too ... thanks for posting the info

Ok, could finally - finally - reproduce it with an older Joomla version (1.0.10 or 1.0.11). At that time, joomla mosGetParam() function had a bug and was wrongly typing to int any numeric value even if default value was a string.

So the official fix is following:
in administrator/components/com_comprofiler/comprofiler.class.php search function cbRegAntiSpamCheck:
[code:1]
function cbRegAntiSpamCheck() {
for($i = 0; $i < 2; $i++) {
$validate = cbGetRegAntiSpams( $i );
$validateValuePost = mosGetParam( $_POST, $validate[0], 0 );
$validateValueCookie = mosGetParam( $_COOKIE, "cbrvs" );
if ( ( $validateValuePost === "1" ) && ( $validateValueCookie === $validate[1] ) ) {
break;
}
}
if ( $i == 2 ) {
header( 'HTTP/1.0 403 Forbidden' );
echo "<script>alert('Registration session expired and/or cookies are not enabled in your browser.'); window.history.go(-1);</script> \n";
exit;
}
}
[/code:1]

and change the [code:1]=== "1"[/code:1] to [code:1]== "1"[/code:1]

yes, just remove one equal sign from the first group of 3 ===, making them 2 == .

So it becomes:

[code:1]
function cbRegAntiSpamCheck() {
for($i = 0; $i < 2; $i++) {
$validate = cbGetRegAntiSpams( $i );
$validateValuePost = mosGetParam( $_POST, $validate[0], 0 );
$validateValueCookie = mosGetParam( $_COOKIE, "cbrvs" );
if ( ( $validateValuePost == "1" ) && ( $validateValueCookie === $validate[1] ) ) {
break;
}
}
if ( $i == 2 ) {
header( 'HTTP/1.0 403 Forbidden' );
echo "<script>alert('Registration session expired and/or cookies are not enabled in your browser.'); window.history.go(-1);</script> \n";
exit;
}
}
[/code:1]

This relaxes the typecheck, without loosening security in this case. The second comparison is a string in all cases, so it's ok.

Please let us know if it works for you, as it will be fixed in upcomming cb release (together with the other problem of hardened php limitations).

Sorry for quite late reply, but let's try to fix that nasty one within next week.

Post edited by: beat, at: 2007/04/26 23:29

Post edited by: beat, at: 2007/04/26 23:30