Create account



CodeIgniter.com Twitter      


  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thread Modes
Will it be consider as 'false positive'?

Offline ciadvantage
Member
***
Posts: 82
Threads: 12
Joined: May 2017
Reputation: 3
#1
07-18-2017, 11:24 AM
The verdict: 

This may allow to execute arbitrary code, or at least modify what code can be executed.

(Snippet from system/core/Loader.php)


Code:
// If the PHP installation does not support short tags we'll

 // do a little string replacement, changing the short tags

 // to standard PHP echo statements.

 if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)

 {
    

  echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));

 }

   any opinion? OR someone can prove they can do some harm by these line?
Find
Reply

Offline Paradinight
Senior Member
****
Posts: 445
Threads: 6
Joined: Jun 2015
Reputation: 25
#2
07-18-2017, 11:28 AM
(07-18-2017, 11:24 AM)ciadvantage Wrote: The verdict: 

This may allow to execute arbitrary code, or at least modify what code can be executed.

(Snippet from system/core/Loader.php)


Code:
// If the PHP installation does not support short tags we'll

 // do a little string replacement, changing the short tags

 // to standard PHP echo statements.

 if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)

 {


  echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));

 }

   any opinion? OR someone can prove they can do some harm by these line?

false positive
Find
Reply

Offline Paradinight
Senior Member
****
Posts: 445
Threads: 6
Joined: Jun 2015
Reputation: 25
#3
07-18-2017, 12:06 PM
(07-18-2017, 11:28 AM)Paradinight Wrote:
(07-18-2017, 11:24 AM)ciadvantage Wrote: The verdict: 

This may allow to execute arbitrary code, or at least modify what code can be executed.

(Snippet from system/core/Loader.php)


Code:
// If the PHP installation does not support short tags we'll

 // do a little string replacement, changing the short tags

 // to standard PHP echo statements.

 if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)

 {


  echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));

 }

   any opinion? OR someone can prove they can do some harm by these line?

false positive

You use an old codeigniter version pls update :| In the new version the code is removed.
Find
Reply

Offline ciadvantage
Member
***
Posts: 82
Threads: 12
Joined: May 2017
Reputation: 3
#4
07-18-2017, 12:19 PM (This post was last modified: 07-18-2017, 12:20 PM by ciadvantage.)
I already updated to CI 3.1.5 and these lines are at line number#956 (system/core/Loader.php) and eval is still in use!
Find
Reply

Offline Paradinight
Senior Member
****
Posts: 445
Threads: 6
Joined: Jun 2015
Reputation: 25
#5
07-18-2017, 12:30 PM
(07-18-2017, 12:19 PM)ciadvantage Wrote: I already updated to CI 3.1.5 and these lines are at line number#956 (system/core/Loader.php) and eval is still in use!

sorry my mistake Smile

I checked the develop branch not the 3.1.5

It is a false positive. it rewrite the php file to support <?= if the short_open_tag is off. In php 5.4 and above this <?= is always on Smile
Find
Reply

Offline ciadvantage
Member
***
Posts: 82
Threads: 12
Joined: May 2017
Reputation: 3
#6
07-18-2017, 12:40 PM
Yeah I am kinda checking out my config and this portion of code never reached since I set it config_item('rewrite_short_tags') === FALSE so my code is ok

Thanks anyway I assume you mentioned this eval() is removed in CI 4.0?
Find
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.