+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forum-5.html)
+--- Forum: General Help (https://forum.codeigniter.com/forum-24.html)
+--- Thread: Will it be consider as 'false positive'? (/thread-68490.html)
Will it be consider as 'false positive'? - ciadvantage - 07-18-2017
The verdict:
This may allow to execute arbitrary code, or at least modify what code can be executed.
(Snippet from system/core/Loader.php)
Code:
// If the PHP installation does not support short tags we'll
// do a little string replacement, changing the short tags
// to standard PHP echo statements.
if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)
{
echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));
}any opinion? OR someone can prove they can do some harm by these line?
RE: Will it be consider as 'false positive'? - Paradinight - 07-18-2017
(07-18-2017, 11:24 AM)ciadvantage Wrote: The verdict:
This may allow to execute arbitrary code, or at least modify what code can be executed.
(Snippet from system/core/Loader.php)
Code:// If the PHP installation does not support short tags we'll
// do a little string replacement, changing the short tags
// to standard PHP echo statements.
if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)
{
echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));
}
any opinion? OR someone can prove they can do some harm by these line?
false positive
RE: Will it be consider as 'false positive'? - Paradinight - 07-18-2017
(07-18-2017, 11:28 AM)Paradinight Wrote:(07-18-2017, 11:24 AM)ciadvantage Wrote: The verdict:
This may allow to execute arbitrary code, or at least modify what code can be executed.
(Snippet from system/core/Loader.php)
Code:// If the PHP installation does not support short tags we'll
// do a little string replacement, changing the short tags
// to standard PHP echo statements.
if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)
{
echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));
}
any opinion? OR someone can prove they can do some harm by these line?
false positive
You use an old codeigniter version pls update :| In the new version the code is removed.
RE: Will it be consider as 'false positive'? - ciadvantage - 07-18-2017
I already updated to CI 3.1.5 and these lines are at line number#956 (system/core/Loader.php) and eval is still in use!
RE: Will it be consider as 'false positive'? - Paradinight - 07-18-2017
(07-18-2017, 12:19 PM)ciadvantage Wrote: I already updated to CI 3.1.5 and these lines are at line number#956 (system/core/Loader.php) and eval is still in use!
sorry my mistake
I checked the develop branch not the 3.1.5
It is a false positive. it rewrite the php file to support <?= if the short_open_tag is off. In php 5.4 and above this <?= is always on
RE: Will it be consider as 'false positive'? - ciadvantage - 07-18-2017
Yeah I am kinda checking out my config and this portion of code never reached since I set it config_item('rewrite_short_tags') === FALSE so my code is ok
Thanks anyway I assume you mentioned this eval() is removed in CI 4.0?