• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Will it be consider as 'false positive'?

#1
The verdict: 

This may allow to execute arbitrary code, or at least modify what code can be executed.

(Snippet from system/core/Loader.php)


Code:
// If the PHP installation does not support short tags we'll

 // do a little string replacement, changing the short tags

 // to standard PHP echo statements.

 if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)

 {
    

  echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));

 }

   any opinion? OR someone can prove they can do some harm by these line?
Reply

#2
(07-18-2017, 11:24 AM)ciadvantage Wrote: The verdict: 

This may allow to execute arbitrary code, or at least modify what code can be executed.

(Snippet from system/core/Loader.php)


Code:
// If the PHP installation does not support short tags we'll

 // do a little string replacement, changing the short tags

 // to standard PHP echo statements.

 if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)

 {


  echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));

 }

   any opinion? OR someone can prove they can do some harm by these line?

false positive
Reply

#3
(07-18-2017, 11:28 AM)Paradinight Wrote:
(07-18-2017, 11:24 AM)ciadvantage Wrote: The verdict: 

This may allow to execute arbitrary code, or at least modify what code can be executed.

(Snippet from system/core/Loader.php)


Code:
// If the PHP installation does not support short tags we'll

 // do a little string replacement, changing the short tags

 // to standard PHP echo statements.

 if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)

 {


  echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));

 }

   any opinion? OR someone can prove they can do some harm by these line?

false positive

You use an old codeigniter version pls update :| In the new version the code is removed.
Reply

#4
I already updated to CI 3.1.5 and these lines are at line number#956 (system/core/Loader.php) and eval is still in use!
Reply

#5
(07-18-2017, 12:19 PM)ciadvantage Wrote: I already updated to CI 3.1.5 and these lines are at line number#956 (system/core/Loader.php) and eval is still in use!

sorry my mistake Smile

I checked the develop branch not the 3.1.5

It is a false positive. it rewrite the php file to support <?= if the short_open_tag is off. In php 5.4 and above this <?= is always on Smile
Reply

#6
Yeah I am kinda checking out my config and this portion of code never reached since I set it config_item('rewrite_short_tags') === FALSE so my code is ok

Thanks anyway I assume you mentioned this eval() is removed in CI 4.0?
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.