Welcome Guest, Not a member yet? Register   Sign In
Important update for Community Auth users
#1

(This post was last modified: 05-21-2016, 10:28 PM by skunkbad. Edit Reason: Note regarding support for legacy versions of PHP )

Users of Community Auth for CI 3 should update to the current version or at least update the _rebuild_deny_list() method in Auth_model.php.

The Problem

If the deny list in the .htaccess file is rebuilt, and if the .htaccess file is larger than a small size, the regular expression used in preg_replace may potentially create a condition where preg_replace returns an empty string, effectively wiping out the .htaccess file and thereby bringing the website down.

The Bad Regex


Code:
/(?<=# BEGIN DENY LIST --)(.|\n)*(?=# END DENY LIST --)/

A Better Regex

Code:
/(?<=# BEGIN DENY LIST --).*?(?=# END DENY LIST --)/s

The Best Solution

As long as the deny list is ALWAYS at the top of the .htaccess file, rather than using preg_replace, a better solution is to use PHP's explode() function to cut the .htaccess file into a upper and lower portion, and then replace the upper portion (the deny list). For reference, here is the revised method as of 5/21/2016:


Code:
/**
 * Rebuild the deny list in the local Apache configuration file
 */
protected function _rebuild_deny_list()
{
    // Get all of the IP addresses in the denied access database
    $query_result = $this->get_deny_list('ip_address');

    // If we have denials
    if( $query_result !== FALSE )
    {
        // Create the denial list to be inserted into the Apache config file
        $deny_list = '<Limit GET POST>' . "\n" . 'order deny,allow';

        foreach( $query_result as $row )
        {
            $deny_list .= "\n" . 'deny from ' . $row->ip_address;
        }

        $deny_list .= "\n" . '</Limit>' . "\n# END DENY LIST --\n";
    }

    // Else we have no denials
    else
    {
        $deny_list = "# END DENY LIST --\n";
    }

    // Get the path to the Apache config file
    $htaccess = config_item('apache_config_file_location');

    $this->load->helper('file');

    // Store the file permissions so we can reset them after writing to the file
    $initial_file_permissions = fileperms( $htaccess );

    // Change the file permissions so we can read/write
    @chmod( $htaccess, 0644);

    // Read in the contents of the Apache config file
    $string = read_file( $htaccess );

    // Remove the original deny list
    $arr = explode( 'END DENY LIST --', $string );

    // Add the new deny list to the top of the file contents
    $string = "# MAKE SURE TO LEAVE THE DENY LIST AT THE TOP OF THE FILE !!!\n" .
            "# BEGIN DENY LIST --\n" . $deny_list . "\n" . trim( $arr[1] ) . "\n";

    // Write the new file contents
    if ( ! write_file( $htaccess, $string ) )
    {
         die('Could not write to Apache configuration file');
    }

    // Change the file permissions back to what they were before the read/write
    @chmod( $htaccess, $initial_file_permissions );
}

// --------------------------------------------------------------

Note that your .htaccess file MUST have the deny list at the very top of the file. In any other place you would risk losing whatever is above the deny list.

This is probably not a huge problem for many Community Auth users, but if one's login form was the victim of a brute force style attack, by default Community Auth does attempt to block the IP address associated with the requests, and so the rebuilding of the .htaccess file could happen at any time. Be sure to address this issue as soon as possible.

Final Note

Community Auth's support for PHP versions less than 5.4 has officially ended. Community Auth is actively developed on PHP 5.5 and PHP 7, and supporting PHP versions less than 5.4 is not worth the time. Honestly, it's difficult to imagine anyone wanting to work in an old legacy version of PHP. Get with the times folks!
Reply


Messages In This Thread
Important update for Community Auth users - by skunkbad - 05-21-2016, 09:19 PM



Theme © iAndrew 2016 - Forum software by © MyBB