Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Services module invokes function that can overwrite global variables?

Posted on 2014-10-30
2
Medium Priority
?
137 Views
Last Modified: 2014-11-17
Using Fortify, we scanned our module directory, including the Services module.

The report flagged line 494 in services_ctools_export_ui.class.php where extract() is invoked.

The report suggests that invoking extract() can be prone to allowing an attacker to influence the execution of the code.

I'm wondering if this is a false positive? The code as written seems convention.

I've also attached the report.

/**
 * Returns the updates for a given resource method.
 *
 * @param $resource
 *   A resource name.
 * @param $method
 *   A method name.
 * @return
 *   an array with the major and minor api versions
 */
function services_get_update_versions($resource, $method) {
  $versions = array();
  $updates = services_get_updates();
  if (isset($updates[$resource][$method]) && is_array($updates[$resource][$method])) {
    foreach ($updates[$resource][$method] as $update) {
      extract($update);
      $value = $major . '.' . $minor;
      $versions[$value] = $value;
    }
  }
  return $versions;
}

Open in new window

fortify-services-module.pdf
0
Comment
Question by:sandshakimi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40414255
Please read the warnings on the man page:  http://us2.php.net/manual/en/function.extract.php  It says it is not recommended.
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 40414283
This is a false positive.  While it could have been written more thoughtfully without extract(), it looks benign to me because it's encapsulated in a function and therefore cannot inject variables into the global scope.  In a nutshell, extract() has the potential to be misused in a way that can do the same thing that Register Globals can do.  You don't want unknown variables injected into the scope of your scripts.  Inside a small function like this, it's OK, even if not a very good programming practice.
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to count occurrences of each item in an array.

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question