Skip to content
This repository

Count modules security patch #1307

Closed
wants to merge 4 commits into from

4 participants

Gary A Mort Rouven Weßling elinw Louis Landry
Gary A Mort

Eliminates unneeded eval call and checks for valid operators

Rouven Weßling
Collaborator

You have a few code style issues but the report isn't up yet. You'll see it on http://developer.joomla.org/pulls/index.html when it has run.

Rouven Weßling realityking commented on the diff June 22, 2012
libraries/joomla/document/html/html.php
@@ -484,6 +484,23 @@ public function countModules($condition)
484 484
 	{
485 485
 		$operators = '(\+|\-|\*|\/|==|\!=|\<\>|\<|\>|\<=|\>=|and|or|xor)';
486 486
 		$words = preg_split('# ' . $operators . ' #', $condition, null, PREG_SPLIT_DELIM_CAPTURE);
  487
+
  488
+		// $words must be odd, an even number of words is a mistake so skip processing
  489
+		if (!(count($words) & 1)) {
  490
+			return false;
3
Rouven Weßling Collaborator
realityking added a note June 22, 2012

I'd throw an InvalidArgumentException here.

Gary A Mort
garyamort added a note June 22, 2012

From deploying Joomla! CMS, I'd rather not have an exception thrown which breaks the website due to some invalid template...especially if it was in an admin template which then made it impossible to fix without directly updating database.

Rouven Weßling Collaborator
realityking added a note June 23, 2012

I agree that we can't do it in 2.5. But throwing an exception will make it much easier for devs to even notice their error so I think that is preferable for 3.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Rouven Weßling
Collaborator

What do others think about deprecating the use operators in countModules()? Templates can use them right in their code, it's only a tiny bit of more code for them and would save us the headache of the eval().

elinw
elinw commented June 22, 2012

@realityking I'm with you on the operators.

elinw
elinw commented June 23, 2012

I want to mention to possible readers of this issue that despite the title this is not a security issue except in the sense that webmasters can hack their own sites by editing files and entering malicious code. It is absolutely the case that if you give someone privileges to edit any file,including your template files, and they chose to destroy your site, they can. That's why you should not give those privileges to anyone you cannot trust completely.

About the exception, I would only even be considering these changes for CMS 3.0 anyway so that should be documented as a b/c change and we should take advantage of the fact that templates have a lot to deal with in 3.0 anyway.

Gary A Mort

Actually, anything which calls countModules on something will cause an eval on unfiltered, unchecked code. While it's true that the only item IN the CMS which does so is the template, this does not mean there aren't 3rd party extensions which call countmodules for some reason[for example, similar functionality to the loadModules] which would allow content editors to insert malicious code that goes through countModules....in short, a hidden eval with no security checks is a security hole...it may be an unexploited hole, but it is a hole nevertheless. I call a spade and spade, and a security hole a security hole.

Gary A Mort

@realityking: I'm not seeing any codestyle issues...or more accurately I'm not seeing any NEW issues in pull request. I'm for eliminating the eval call altogether, but figured I'd keep this code pull backwards compatible and only deal with issues of ensuring operators are really operators, checking parameter counts, and getting rid of eval for 90% of the calls by removing the call when there's only 1 word.

Rouven Weßling
Collaborator

@garyamort
The pull tester agrees with me and sees 6 code style issues ;) http://developer.joomla.org/pulls/pulls/1307.html

As for the security or not security debate: If you're passing user input to that function it's your responsibility to filter it. If it was considered a security issue just checking for an uneven number of terms wouldn't be a complete solution either. Anyway, it's not treated as a security issue but we still wanna fix it so I don't think it's a big deal.

Rouven Weßling
Collaborator

@garyamort
The pull tester agrees with me and sees 6 code style issues ;) http://developer.joomla.org/pulls/pulls/1307.html

As for the security or not security debate: If you're passing user input to that function it's your responsibility to filter it. If it was considered a security issue just checking for an uneven number of terms wouldn't be a complete solution either. Anyway, it's not treated as a security issue but we still wanna fix it so I don't think it's a big deal.

Gary A Mort

@Realityking: I agree about just checking for uneven terms...that's why I added a pregmatch on the operators to make sure their in the set of operators. The operands will always be turned into integers, so their safe, but the operands are passed to eval as is. I'll look at those checkstyle issues later today....slowly learning how to read that report.

Louis Landry

@garyamort my apologies for us not getting this all sorted out sooner. It'd be fantastic if you could rebase (cannot be merged) this and add the unit tests from #1303 into this pull request so that we get the tests and changes all in one go. Once you get that done we can get this thing one last check and merged into the platform. I really appreciate the effort and initiative working this problem. It would also be great if you could provide a little more descriptive title/description on the pull request for our changelog.

I'm marking this for the 12.3 release. Additionally I'm closing it for now, but not because it is rejected. It isn't in a state where it can be reviewed further or merged so I'm closing it so that it doesn't stay in our review queue. Once you get things cleaned up please re-open it and we'll get it sorted out. Thanks!

Louis Landry LouisLandry closed this October 09, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.

Showing 1 changed file with 23 additions and 0 deletions. Show diff stats Hide diff stats

  1. 23  libraries/joomla/document/html/html.php
23  libraries/joomla/document/html/html.php
@@ -484,6 +484,23 @@ public function countModules($condition)
484 484
 	{
485 485
 		$operators = '(\+|\-|\*|\/|==|\!=|\<\>|\<|\>|\<=|\>=|and|or|xor)';
486 486
 		$words = preg_split('# ' . $operators . ' #', $condition, null, PREG_SPLIT_DELIM_CAPTURE);
  487
+
  488
+		// $words must be odd, an even number of words is a mistake so skip processing
  489
+		if (!(count($words) & 1)) {
  490
+			return false;
  491
+		}
  492
+
  493
+		// don't allow undocumented/malicious operators
  494
+		for ($i = 1, $n = count($words); $i < $n; $i += 2)
  495
+		{
  496
+			// even parts (operators)
  497
+			$operator = strtolower($words[$i]);
  498
+			if (!preg_match($operators, $words) )
  499
+			{
  500
+				return false;
  501
+			}
  502
+		}
  503
+
487 504
 		for ($i = 0, $n = count($words); $i < $n; $i += 2)
488 505
 		{
489 506
 			// Odd parts (modules)
@@ -493,6 +510,12 @@ public function countModules($condition)
493 510
 				: count(JModuleHelper::getModules($name));
494 511
 		}
495 512
 
  513
+
  514
+		// one word doesn't need an eval call
  515
+		if (count($words) == 1) {
  516
+			return $words[0];
  517
+		}
  518
+
496 519
 		$str = 'return ' . implode(' ', $words) . ';';
497 520
 
498 521
 		return eval($str);
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.