Solved

Services module invokes function that can overwrite global variables?

Posted on 2014-10-30
2
120 Views
Last Modified: 2014-11-17
Using Fortify, we scanned our module directory, including the Services module.

The report flagged line 494 in services_ctools_export_ui.class.php where extract() is invoked.

The report suggests that invoking extract() can be prone to allowing an attacker to influence the execution of the code.

I'm wondering if this is a false positive? The code as written seems convention.

I've also attached the report.

/**
 * Returns the updates for a given resource method.
 *
 * @param $resource
 *   A resource name.
 * @param $method
 *   A method name.
 * @return
 *   an array with the major and minor api versions
 */
function services_get_update_versions($resource, $method) {
  $versions = array();
  $updates = services_get_updates();
  if (isset($updates[$resource][$method]) && is_array($updates[$resource][$method])) {
    foreach ($updates[$resource][$method] as $update) {
      extract($update);
      $value = $major . '.' . $minor;
      $versions[$value] = $value;
    }
  }
  return $versions;
}

Open in new window

fortify-services-module.pdf
0
Comment
Question by:sandshakimi
2 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40414255
Please read the warnings on the man page:  http://us2.php.net/manual/en/function.extract.php  It says it is not recommended.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 40414283
This is a false positive.  While it could have been written more thoughtfully without extract(), it looks benign to me because it's encapsulated in a function and therefore cannot inject variables into the global scope.  In a nutshell, extract() has the potential to be misused in a way that can do the same thing that Register Globals can do.  You don't want unknown variables injected into the scope of your scripts.  Inside a small function like this, it's OK, even if not a very good programming practice.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to dynamically set the form action using jQuery.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now