Services module invokes function that can overwrite global variables?

Using Fortify, we scanned our module directory, including the Services module.

The report flagged line 494 in services_ctools_export_ui.class.php where extract() is invoked.

The report suggests that invoking extract() can be prone to allowing an attacker to influence the execution of the code.

I'm wondering if this is a false positive? The code as written seems convention.

I've also attached the report.

/**
 * Returns the updates for a given resource method.
 *
 * @param $resource
 *   A resource name.
 * @param $method
 *   A method name.
 * @return
 *   an array with the major and minor api versions
 */
function services_get_update_versions($resource, $method) {
  $versions = array();
  $updates = services_get_updates();
  if (isset($updates[$resource][$method]) && is_array($updates[$resource][$method])) {
    foreach ($updates[$resource][$method] as $update) {
      extract($update);
      $value = $major . '.' . $minor;
      $versions[$value] = $value;
    }
  }
  return $versions;
}

Open in new window

fortify-services-module.pdf
sandshakimiAsked:
Who is Participating?
 
Ray PaseurCommented:
This is a false positive.  While it could have been written more thoughtfully without extract(), it looks benign to me because it's encapsulated in a function and therefore cannot inject variables into the global scope.  In a nutshell, extract() has the potential to be misused in a way that can do the same thing that Register Globals can do.  You don't want unknown variables injected into the scope of your scripts.  Inside a small function like this, it's OK, even if not a very good programming practice.
0
 
Dave BaldwinFixer of ProblemsCommented:
Please read the warnings on the man page:  http://us2.php.net/manual/en/function.extract.php  It says it is not recommended.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.