Solved

Services module invokes function that can overwrite global variables?

Posted on 2014-10-30
2
129 Views
Last Modified: 2014-11-17
Using Fortify, we scanned our module directory, including the Services module.

The report flagged line 494 in services_ctools_export_ui.class.php where extract() is invoked.

The report suggests that invoking extract() can be prone to allowing an attacker to influence the execution of the code.

I'm wondering if this is a false positive? The code as written seems convention.

I've also attached the report.

/**
 * Returns the updates for a given resource method.
 *
 * @param $resource
 *   A resource name.
 * @param $method
 *   A method name.
 * @return
 *   an array with the major and minor api versions
 */
function services_get_update_versions($resource, $method) {
  $versions = array();
  $updates = services_get_updates();
  if (isset($updates[$resource][$method]) && is_array($updates[$resource][$method])) {
    foreach ($updates[$resource][$method] as $update) {
      extract($update);
      $value = $major . '.' . $minor;
      $versions[$value] = $value;
    }
  }
  return $versions;
}

Open in new window

fortify-services-module.pdf
0
Comment
Question by:sandshakimi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40414255
Please read the warnings on the man page:  http://us2.php.net/manual/en/function.extract.php  It says it is not recommended.
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 40414283
This is a false positive.  While it could have been written more thoughtfully without extract(), it looks benign to me because it's encapsulated in a function and therefore cannot inject variables into the global scope.  In a nutshell, extract() has the potential to be misused in a way that can do the same thing that Register Globals can do.  You don't want unknown variables injected into the scope of your scripts.  Inside a small function like this, it's OK, even if not a very good programming practice.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question