Those extract() calls are not in global scope though. They are all
function scoped uses. Cake has very few globals, and none are hit with
the existing extract calls.
-Mark
On Oct 18, 12:27 pm, Dee Johnson <devario...@gmail.com> wrote:
> Hi all, I scanned a cake project with a security program called fortify and
> it came back with 181 errors associated with using the "extract" function in
> the core.
>
> *Explanation below:*
> Possible Variable Overwrite: Global Scope (Input Validation and
> Representation, Structural)
>
> The program invokes a function that can overwrite global variables, which
> can open the door for attackers.
>
> example is line 870 of configure.php
>
> function import($type = null, $name = null, $parent = true, $search =
> array(), $file = null, $return = false) {
> $plugin = $directory = null;
>
> if (is_array($type)) {
> extract($type, EXTR_OVERWRITE);
> }
>
> if (is_array($parent)) {
> extract($parent, EXTR_OVERWRITE);
> }
>
> The application suggests that in all instances where "extract" is used, to
> use the argument 'EXTR_SKIP'. Since this would be in place of
> EXTR_OVERWRITE I was wondering if this would cause any issues considering
> this is the core and all... ??? Thoughts? Full explanation below
>
> *source - *
>
> *Recommendations:*
> Prevent functions that can overwrite global variables from doing so in the
> following ways:
>
> - Invoke mb_parse_str(string $encoded_string [, array &$result ]) with
> the second argument, which captures the result of the operation and prevents
> the function from overwriting global variables.
>
> - Invoke extract(array $var_array [, int $extract_type [, string
> $prefix]]) with the second argument set to EXTR_SKIP, which prevents the
> function from overwriting global variables that are already defined.
>
> Example 2: The following code uses a second argument to mb_parse_str() to
> mitigate the vulnerability from Example 1.
>
> <?php
> $first="User";
> ...
> $str = $_SERVER['QUERY_STRING'];
> mb_parse_str($str, $output);
> echo $first;
> ?>
>
> References:
>
> [1] CWE ID 473, Standards Mapping - Common Weakness Enumeration - (CWE)
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
