CodeIgniter Forums
Will it be consider as 'false positive'? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forum-5.html)
+--- Forum: General Help (https://forum.codeigniter.com/forum-24.html)
+--- Thread: Will it be consider as 'false positive'? (/thread-68490.html)



Will it be consider as 'false positive'? - ciadvantage - 07-18-2017

The verdict: 

This may allow to execute arbitrary code, or at least modify what code can be executed.

(Snippet from system/core/Loader.php)


Code:
// If the PHP installation does not support short tags we'll

 // do a little string replacement, changing the short tags

 // to standard PHP echo statements.

 if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)

 {
    

  echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));

 }

   any opinion? OR someone can prove they can do some harm by these line?


RE: Will it be consider as 'false positive'? - Paradinight - 07-18-2017

(07-18-2017, 11:24 AM)ciadvantage Wrote: The verdict: 

This may allow to execute arbitrary code, or at least modify what code can be executed.

(Snippet from system/core/Loader.php)


Code:
// If the PHP installation does not support short tags we'll

 // do a little string replacement, changing the short tags

 // to standard PHP echo statements.

 if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)

 {


  echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));

 }

   any opinion? OR someone can prove they can do some harm by these line?

false positive


RE: Will it be consider as 'false positive'? - Paradinight - 07-18-2017

(07-18-2017, 11:28 AM)Paradinight Wrote:
(07-18-2017, 11:24 AM)ciadvantage Wrote: The verdict: 

This may allow to execute arbitrary code, or at least modify what code can be executed.

(Snippet from system/core/Loader.php)


Code:
// If the PHP installation does not support short tags we'll

 // do a little string replacement, changing the short tags

 // to standard PHP echo statements.

 if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)

 {


  echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));

 }

   any opinion? OR someone can prove they can do some harm by these line?

false positive

You use an old codeigniter version pls update :| In the new version the code is removed.


RE: Will it be consider as 'false positive'? - ciadvantage - 07-18-2017

I already updated to CI 3.1.5 and these lines are at line number#956 (system/core/Loader.php) and eval is still in use!


RE: Will it be consider as 'false positive'? - Paradinight - 07-18-2017

(07-18-2017, 12:19 PM)ciadvantage Wrote: I already updated to CI 3.1.5 and these lines are at line number#956 (system/core/Loader.php) and eval is still in use!

sorry my mistake Smile

I checked the develop branch not the 3.1.5

It is a false positive. it rewrite the php file to support <?= if the short_open_tag is off. In php 5.4 and above this <?= is always on Smile


RE: Will it be consider as 'false positive'? - ciadvantage - 07-18-2017

Yeah I am kinda checking out my config and this portion of code never reached since I set it config_item('rewrite_short_tags') === FALSE so my code is ok

Thanks anyway I assume you mentioned this eval() is removed in CI 4.0?