Solved

Services module invokes function that can overwrite global variables?

Posted on 2014-10-30
2
123 Views
Last Modified: 2014-11-17
Using Fortify, we scanned our module directory, including the Services module.

The report flagged line 494 in services_ctools_export_ui.class.php where extract() is invoked.

The report suggests that invoking extract() can be prone to allowing an attacker to influence the execution of the code.

I'm wondering if this is a false positive? The code as written seems convention.

I've also attached the report.

/**
 * Returns the updates for a given resource method.
 *
 * @param $resource
 *   A resource name.
 * @param $method
 *   A method name.
 * @return
 *   an array with the major and minor api versions
 */
function services_get_update_versions($resource, $method) {
  $versions = array();
  $updates = services_get_updates();
  if (isset($updates[$resource][$method]) && is_array($updates[$resource][$method])) {
    foreach ($updates[$resource][$method] as $update) {
      extract($update);
      $value = $major . '.' . $minor;
      $versions[$value] = $value;
    }
  }
  return $versions;
}

Open in new window

fortify-services-module.pdf
0
Comment
Question by:sandshakimi
2 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40414255
Please read the warnings on the man page:  http://us2.php.net/manual/en/function.extract.php  It says it is not recommended.
0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 40414283
This is a false positive.  While it could have been written more thoughtfully without extract(), it looks benign to me because it's encapsulated in a function and therefore cannot inject variables into the global scope.  In a nutshell, extract() has the potential to be misused in a way that can do the same thing that Register Globals can do.  You don't want unknown variables injected into the scope of your scripts.  Inside a small function like this, it's OK, even if not a very good programming practice.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Convert html page to a php post email form automatically? 10 51
using php variable inside javascript 5 27
array_values - reorder after unset? 5 20
Curl & PHP Command Help 4 21
Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now