Welcome to the Cumulus Support forum.

Latest Cumulus MX release 3.8.4 (build 3094) - 14 September 2020 (please see announcement regarding releases since 3.5.0)
Legacy Cumulus 1 release v1.9.4 (build 1099) - 28 November 2014 (a patch is available for 1.9.4 build 1099 that extends the date range of the NOAA report and Snow Index drop-down menus to 2030)

Use this Wiki link to Download the Software (Cumulus MX / Cumulus 1 and other related items).

PHP Web 'viewer' for Cumulus NOAA Style reports

Other discussion about creating web sites for Cumulus that doesn't have a specific subforum

Moderator: daj

User avatar
beteljuice
Posts: 3007
Joined: Tue 09 Dec 2008 1:37 pm
Weather Station: None !
Operating System: W10 - Threadripper 16core, etc
Location: Dudley, West Midlands, UK

BUG FIX Ver 3.5 ...

Post by beteljuice »

Bug fix ... get zip from first post

V3.5 - Jan 1st 2020
  • bug fix - now is corrected to 'yesterday' (latest possible record)
    CU possible error report if year report is missing - fixed


Don't know why this hasn't been pointed out over the years - or perhaps it's just the way error reporting now is ?

@mark ... code incomplete and not quite correct :o

Code: Select all

$now = date_create('now')->modify('-1 day');
$now_month = $now->format('m'); // mark said mm
$now_year = $now->format('Y');
$prior_month = $now_month - 1; // mark didn't mention
$prior_year = $now_year - 1; // mark didn't mention
Also I discovered an incomplete check further along ..

Code: Select all

//		if ($filesfound[$t] || ($yy == $now_year && $Naming != "CU")) { 
		if ((array_key_exists($t, $filesfound) && $filesfound[$t]) || ($yy == $now_year && $Naming != "CU")) { 
All OK now (I hope)
Image
......................Imagine, what you will KNOW tomorrow !

User avatar
mcrossley
Posts: 6932
Joined: Thu 07 Jan 2010 9:44 pm
Weather Station: Davis VP2
Operating System: Buster Lite rPi
Location: Wilmslow, Cheshire, UK
Contact:

Re: BUG FIX Ver 3.5 ...

Post by mcrossley »

beteljuice wrote:
Wed 01 Jan 2020 3:32 pm
@mark ... code incomplete and not quite correct :o

Code: Select all

$now = date_create('now')->modify('-1 day');
$now_month = $now->format('m'); // mark said mm
$now_year = $now->format('Y');
$prior_month = $now_month - 1; // mark didn't mention
$prior_year = $now_year - 1; // mark didn't mention
Good spot on "m" vs. "mm" - amazingly the "mm" didn't affect the rest of the bullet proof code though!
And the two $prior_xxx values were not used for anything in my copy except for debug messages so they got commented out a while back.

Matt.j5b
Posts: 474
Joined: Mon 28 Nov 2011 2:13 am
Weather Station: Davis VP2 with DFARS
Operating System: RPi Raspbian (Buster)
Location: Ferny Grove, Brisbane, Australia
Contact:

Re: PHP Web 'viewer' for Cumulus NOAA Style reports

Post by Matt.j5b »

This is not a problem as these reports have been working just fine. But I however received an email (from an unknown person) saying a vulnerability (reflected cross site scripting) was found with my NOAA style report page when the following string is added to the end of the url of: <"/*'/*

Code: Select all

</Title/</Script/--><svg/**/; OnlOad=(alert)(document.domain)>/
So on my page to get this happening, which breaks the page badly:

Code: Select all

https://fernygroveweather.com/NOAA-reports.php/<"/*'/*</Title/</Script/--><svg/**/; Onload=(alert)(document.domain)>/
I didn't want to spend too much time on this, but I haven't been successful in resolving this. I doubt this is much of an issue anyway, but I thought I would advise of this just in case someone would like to come up with something to get around this.

Cheers
Regards, Matt of Brisbane, Australia
Ferny Grove Weather
Image

User avatar
beteljuice
Posts: 3007
Joined: Tue 09 Dec 2008 1:37 pm
Weather Station: None !
Operating System: W10 - Threadripper 16core, etc
Location: Dudley, West Midlands, UK

Re: PHP Web 'viewer' for Cumulus NOAA Style reports

Post by beteljuice »

This is one of many, many 'exploit' techniques ...
You (and others) will find more pages where it gives the alert (executes) or breaks some of the existing code functions. Many pages may return 404, or carry on regardless.

Nothing I can do about it I'm afraid :cry:
Image
......................Imagine, what you will KNOW tomorrow !

Matt.j5b
Posts: 474
Joined: Mon 28 Nov 2011 2:13 am
Weather Station: Davis VP2 with DFARS
Operating System: RPi Raspbian (Buster)
Location: Ferny Grove, Brisbane, Australia
Contact:

Re: PHP Web 'viewer' for Cumulus NOAA Style reports

Post by Matt.j5b »

That's a shame. Thanks for explaining that anyway.
Regards, Matt of Brisbane, Australia
Ferny Grove Weather
Image

Post Reply