Skip to content

Commit

Permalink
don't allow callable strings for $func (MongoLite)
Browse files Browse the repository at this point in the history
  • Loading branch information
@aheinze
aheinze committed Sep 14, 2020
1 parent 79fc963 commit 33e7199
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion lib/MongoLite/Database.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -429,7 +429,7 @@ private static function evaluate($func, $a, $b) {
case '$func' :
case '$fn' :
case '$f' :
if (! \is_callable($b))
if (\is_string($b) || !\is_callable($b))
throw new \InvalidArgumentException('Function should be callable');
$r = $b($a);
break;
Expand Down

5 comments on commit 33e7199

@raffaelj
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aheinze Why did you disable callable strings? Now filtering with '$fn => 'callable' throws an exception and filtering with '$fn' => function($field) {return true;} throws the following error:

<b>Fatal error</b>:  Uncaught Error: Call to undefined method Closure::__set_state() in /var/www/html/cockpit/lib/MongoLite/Database.php(116) : eval()'d code:8
Stack trace:
#0 /var/www/html/cockpit/lib/MongoLite/Database.php(135): MongoLite\Database-&gt;{closure}(Array)
#1 /var/www/html/cockpit/lib/MongoLite/Database.php(89): MongoLite\Database-&gt;callCriteriaFunction('criteria5f6e17d...', Array)
#2 [internal function]: MongoLite\Database-&gt;MongoLite\{closure}('criteria5f6e17d...', Array)
#3 /var/www/html/cockpit/lib/MongoLite/Cursor.php(197): PDO-&gt;query('SELECT document...')
#4 /var/www/html/cockpit/lib/MongoLite/Cursor.php(159): MongoLite\Cursor-&gt;getData()
#5 /var/www/html/cockpit/lib/MongoHybrid/MongoLite.php(100): MongoLite\Cursor-&gt;toArray()
#6 [internal function]: MongoHybrid\MongoLite-&gt;find('collections/sof...', Array)
#7 /var/www/html/cockpit/lib/MongoHybrid/Client.php(425): call_user_func_array(Array, Array)
#8 /var/www/html/cockpit/modules/Collections/bootstrap.php(248): MongoHybrid\Client-&gt;__call('find', Array)
#9 /var/www/ht in <b>/var/www/html/cockpit/lib/MongoLite/Database.php(116) : eval()'d code</b> on line <b>8</b><br />

This breaks at least my custom full text search for repeaters in CpMultiplane and it breaks the PublicationPeriod Addon from @pauloamgomes.

@aheinze
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@raffaelj callable strings enabled a serious security hole. You could call all available php functions like system etc. I will look into the closure error!

@aheinze
Copy link
Member Author

@aheinze aheinze commented on 33e7199 Sep 25, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@raffaelj I removed all $fn, $func etc filters in the latest commit. Please use $where instead. Example:

cockpit('collections')->find('posts', [
    'filter' => [
        '$where' => function($doc) {
            return $doc['published'] && $doc['title'] != 'Lorem Ipsum';
        }
    ]
]);

@raffaelj
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

callable strings enabled a serious security hole.

Oh, I see. That's a problem.

Use $where instead.

I'll give it a try tomorrow.

@raffaelj
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the $where filter works for me. Thanks for the implementation.

@aheinze What do you think about a white list for user registered function names? Than the where filter could also be used with callable strings via rest api.

Please sign in to comment.