Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter General Help Will it be consider as 'false positive'?
Will it be consider as 'false positive'?
  • Offline ciadvantage
    Member
  • ***
  • Posts: 82
    Threads: 12
    Joined: May 2017
    Reputation: 3
#1
07-18-2017, 11:24 AM

The verdict: 

This may allow to execute arbitrary code, or at least modify what code can be executed.

(Snippet from system/core/Loader.php)


Code:
// If the PHP installation does not support short tags we'll

 // do a little string replacement, changing the short tags

 // to standard PHP echo statements.

 if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)

 {
    

  echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));

 }

   any opinion? OR someone can prove they can do some harm by these line?
Reply
  • Offline Paradinight
    Senior Member
  • ****
  • Posts: 446
    Threads: 6
    Joined: Jun 2015
    Reputation: 25
#2
07-18-2017, 11:28 AM

(07-18-2017, 11:24 AM)ciadvantage Wrote: The verdict: 

This may allow to execute arbitrary code, or at least modify what code can be executed.

(Snippet from system/core/Loader.php)


Code:
// If the PHP installation does not support short tags we'll

 // do a little string replacement, changing the short tags

 // to standard PHP echo statements.

 if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)

 {


  echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));

 }

   any opinion? OR someone can prove they can do some harm by these line?

false positive
Reply
  • Offline Paradinight
    Senior Member
  • ****
  • Posts: 446
    Threads: 6
    Joined: Jun 2015
    Reputation: 25
#3
07-18-2017, 12:06 PM

(07-18-2017, 11:28 AM)Paradinight Wrote:
(07-18-2017, 11:24 AM)ciadvantage Wrote: The verdict: 

This may allow to execute arbitrary code, or at least modify what code can be executed.

(Snippet from system/core/Loader.php)


Code:
// If the PHP installation does not support short tags we'll

 // do a little string replacement, changing the short tags

 // to standard PHP echo statements.

 if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)

 {


  echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));

 }

   any opinion? OR someone can prove they can do some harm by these line?

false positive

You use an old codeigniter version pls update :| In the new version the code is removed.
Reply
  • Offline ciadvantage
    Member
  • ***
  • Posts: 82
    Threads: 12
    Joined: May 2017
    Reputation: 3
#4
07-18-2017, 12:19 PM
(This post was last modified: 07-18-2017, 12:20 PM by ciadvantage.)

I already updated to CI 3.1.5 and these lines are at line number#956 (system/core/Loader.php) and eval is still in use!
Reply
  • Offline Paradinight
    Senior Member
  • ****
  • Posts: 446
    Threads: 6
    Joined: Jun 2015
    Reputation: 25
#5
07-18-2017, 12:30 PM

(07-18-2017, 12:19 PM)ciadvantage Wrote: I already updated to CI 3.1.5 and these lines are at line number#956 (system/core/Loader.php) and eval is still in use!

sorry my mistake Smile

I checked the develop branch not the 3.1.5

It is a false positive. it rewrite the php file to support <?= if the short_open_tag is off. In php 5.4 and above this <?= is always on Smile
Reply
  • Offline ciadvantage
    Member
  • ***
  • Posts: 82
    Threads: 12
    Joined: May 2017
    Reputation: 3
#6
07-18-2017, 12:40 PM

Yeah I am kinda checking out my config and this portion of code never reached since I set it config_item('rewrite_short_tags') === FALSE so my code is ok

Thanks anyway I assume you mentioned this eval() is removed in CI 4.0?
Reply




Theme © iAndrew 2016 - Forum software by © MyBB