Skip to content
Permalink
Browse files Browse the repository at this point in the history
Clarified change log on php-gettext 1.0.12 update
  • Loading branch information
LarsMichelsen committed Jun 25, 2016
1 parent b7250c7 commit 4fe8672
Show file tree
Hide file tree
Showing 2 changed files with 116 additions and 128 deletions.
19 changes: 3 additions & 16 deletions ChangeLog
Expand Up @@ -3,22 +3,9 @@ Core:
* MK BI backend: Now prints an error message when trying to use it with
objects that are not aggregations.
* NDO MySQL backend: Filtering out legacy objects from DB (setting is_active filter)
* FIX: A local exploitable security issue has been discovered in the php-gettext
library which is used to make NagVis localizable on platforms which has no gettext
support built into PHP.

A local user with privileges to create/modify the .mo files used by NagVis
could modify a file in a way that it executes custom code with the privileges of
the web server which is executing the NagVis code.

To more than 99% of NagVis installations (installed with the install.sh
installer or OMD) this is no special threat because a user which is able to .mo
files is able to modify the .php program files of NagVis. An attacker
would rather modify the .php files directly instead of injecting it's code through
the .mo files.

However, to fix this for most installations minor issue, we included php-gettext
in version 1.0.12 with this release which fixes the issue.
* FIX: Updated php-gettext to 1.0.12 and commented out unused code because it contains
some exploitable PHP code which could be used to inject code using modified .mo files.
However, NagVis has never used these functions, so was never affected by this issue.

Frontend:
* FIX: Fixed error in ad-hoc automaps (Network Topology in Check_MK) during state updates
Expand Down
225 changes: 113 additions & 112 deletions share/server/core/ext/php-gettext-1.0.12/gettext.php
Expand Up @@ -275,72 +275,73 @@ function translate($string) {
* @access private
* @return string sanitized plural form expression
*/
function sanitize_plural_expression($expr) {
// Get rid of disallowed characters.
$expr = preg_replace('@[^a-zA-Z0-9_:;\(\)\?\|\&=!<>+*/\%-]@', '', $expr);

// Add parenthesis for tertiary '?' operator.
$expr .= ';';
$res = '';
$p = 0;
for ($i = 0; $i < strlen($expr); $i++) {
$ch = $expr[$i];
switch ($ch) {
case '?':
$res .= ' ? (';
$p++;
break;
case ':':
$res .= ') : (';
break;
case ';':
$res .= str_repeat( ')', $p) . ';';
$p = 0;
break;
default:
$res .= $ch;
}
}
return $res;
}
//function sanitize_plural_expression($expr) {
// // Get rid of disallowed characters.
// $expr = preg_replace('@[^a-zA-Z0-9_:;\(\)\?\|\&=!<>+*/\%-]@', '', $expr);

// // Add parenthesis for tertiary '?' operator.
// $expr .= ';';
// $res = '';
// $p = 0;
// for ($i = 0; $i < strlen($expr); $i++) {
// $ch = $expr[$i];
// switch ($ch) {
// case '?':
// $res .= ' ? (';
// $p++;
// break;
// case ':':
// $res .= ') : (';
// break;
// case ';':
// $res .= str_repeat( ')', $p) . ';';
// $p = 0;
// break;
// default:
// $res .= $ch;
// }
// }
// return $res;
//}

/**
* Parse full PO header and extract only plural forms line.
*
* @access private
* @return string verbatim plural form header field
*/
function extract_plural_forms_header_from_po_header($header) {
if (preg_match("/(^|\n)plural-forms: ([^\n]*)\n/i", $header, $regs))
$expr = $regs[2];
else
$expr = "nplurals=2; plural=n == 1 ? 0 : 1;";
return $expr;
}
//function extract_plural_forms_header_from_po_header($header) {
// if (preg_match("/(^|\n)plural-forms: ([^\n]*)\n/i", $header, $regs))
// $expr = $regs[2];
// else
// $expr = "nplurals=2; plural=n == 1 ? 0 : 1;";
// return $expr;
//}

/**
* Get possible plural forms from MO header
*
* @access private
* @return string plural form header
*/
function get_plural_forms() {
// lets assume message number 0 is header
// this is true, right?
$this->load_tables();

// cache header field for plural forms
if (! is_string($this->pluralheader)) {
if ($this->enable_cache) {
$header = $this->cache_translations[""];
} else {
$header = $this->get_translation_string(0);
}
$expr = $this->extract_plural_forms_header_from_po_header($header);
$this->pluralheader = $this->sanitize_plural_expression($expr);
}
return $this->pluralheader;
}
//function get_plural_forms() {
// // lets assume message number 0 is header
// // this is true, right?
// $this->load_tables();

// // cache header field for plural forms
// if (! is_string($this->pluralheader)) {
// if ($this->enable_cache) {
// $header = $this->cache_translations[""];
// } else {
// $header = $this->get_translation_string(0);
// }
// print($header);
// $expr = $this->extract_plural_forms_header_from_po_header($header);
// $this->pluralheader = $this->sanitize_plural_expression($expr);
// }
// return $this->pluralheader;
//}

/**
* Detects which plural form to take
Expand All @@ -349,23 +350,23 @@ function get_plural_forms() {
* @param n count
* @return int array index of the right plural form
*/
function select_string($n) {
if (!is_int($n)) {
throw new InvalidArgumentException(
"Select_string only accepts integers: " . $n);
}
$string = $this->get_plural_forms();
$string = str_replace('nplurals',"\$total",$string);
$string = str_replace("n",$n,$string);
$string = str_replace('plural',"\$plural",$string);

$total = 0;
$plural = 0;

eval("$string");
if ($plural >= $total) $plural = $total - 1;
return $plural;
}
//function select_string($n) {
// if (!is_int($n)) {
// throw new InvalidArgumentException(
// "Select_string only accepts integers: " . $n);
// }
// $string = $this->get_plural_forms();
// $string = str_replace('nplurals',"\$total",$string);
// $string = str_replace("n",$n,$string);
// $string = str_replace('plural',"\$plural",$string);

// $total = 0;
// $plural = 0;

// eval("$string");
// if ($plural >= $total) $plural = $total - 1;
// return $plural;
//}

/**
* Plural version of gettext
Expand All @@ -376,40 +377,40 @@ function select_string($n) {
* @param string number
* @return translated plural form
*/
function ngettext($single, $plural, $number) {
if ($this->short_circuit) {
if ($number != 1)
return $plural;
else
return $single;
}

// find out the appropriate form
$select = $this->select_string($number);

// this should contains all strings separated by NULLs
$key = $single . chr(0) . $plural;


if ($this->enable_cache) {
if (! array_key_exists($key, $this->cache_translations)) {
return ($number != 1) ? $plural : $single;
} else {
$result = $this->cache_translations[$key];
$list = explode(chr(0), $result);
return $list[$select];
}
} else {
$num = $this->find_string($key);
if ($num == -1) {
return ($number != 1) ? $plural : $single;
} else {
$result = $this->get_translation_string($num);
$list = explode(chr(0), $result);
return $list[$select];
}
}
}
//function ngettext($single, $plural, $number) {
// if ($this->short_circuit) {
// if ($number != 1)
// return $plural;
// else
// return $single;
// }

// // find out the appropriate form
// $select = $this->select_string($number);

// // this should contains all strings separated by NULLs
// $key = $single . chr(0) . $plural;


// if ($this->enable_cache) {
// if (! array_key_exists($key, $this->cache_translations)) {
// return ($number != 1) ? $plural : $single;
// } else {
// $result = $this->cache_translations[$key];
// $list = explode(chr(0), $result);
// return $list[$select];
// }
// } else {
// $num = $this->find_string($key);
// if ($num == -1) {
// return ($number != 1) ? $plural : $single;
// } else {
// $result = $this->get_translation_string($num);
// $list = explode(chr(0), $result);
// return $list[$select];
// }
// }
//}

function pgettext($context, $msgid) {
$key = $context . chr(4) . $msgid;
Expand All @@ -421,16 +422,16 @@ function pgettext($context, $msgid) {
}
}

function npgettext($context, $singular, $plural, $number) {
$key = $context . chr(4) . $singular;
$ret = $this->ngettext($key, $plural, $number);
if (strpos($ret, "\004") !== FALSE) {
return $singular;
} else {
return $ret;
}
//function npgettext($context, $singular, $plural, $number) {
// $key = $context . chr(4) . $singular;
// $ret = $this->ngettext($key, $plural, $number);
// if (strpos($ret, "\004") !== FALSE) {
// return $singular;
// } else {
// return $ret;
// }

}
//}
}

?>

0 comments on commit 4fe8672

Please sign in to comment.