Make sure an invalid ctx parameter (array instead of string) doesn't throw errors #13627
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does it do?
Ensures the
ctx
parameter when sent to the connector is ignored if it isn't a string.Why is it needed?
If a different type, say array, is passed along into
modX->initialize()
, the connector will log and/or show notices and warnings in the response depending on the server configuration. When the server is set to show errors, this may expose core paths to attackers.This came up in Slack (05:45:29) as a result of an ancient attack (fixed in 2.2.13/2.3.0: #11180) where the ctx parameter was vulnerable for sql injection. After investigating it a bit I found that the exploit can no longer be exploited (thanks to both the fix in #11180 and improvements to xPDO's sql injection detection in 2.5.x), but that it could still throw errors.
In my test environment, these errors were shown when providing an array
ctx
like in the exploit:In addition, the following got written to the error log:
With this fix applied, both the output and the error log remain quiet.
As context keys can only be strings, I see no potential harm in ignoring the provided ctx value. Users that have no access to the mgr context will get an unauthorized error like normal.
Related issue(s)/PR(s)
Somewhat related to #11180, but just to clarify, this is not a regression or exploitable vulnerability.