Those extract() calls are not in global scope though. They are all function scoped uses. Cake has very few globals, and none are hit with the existing extract calls.
-Mark On Oct 18, 12:27 pm, Dee Johnson <devario...@gmail.com> wrote: > Hi all, I scanned a cake project with a security program called fortify and > it came back with 181 errors associated with using the "extract" function in > the core. > > *Explanation below:* > Possible Variable Overwrite: Global Scope (Input Validation and > Representation, Structural) > > The program invokes a function that can overwrite global variables, which > can open the door for attackers. > > example is line 870 of configure.php > > function import($type = null, $name = null, $parent = true, $search = > array(), $file = null, $return = false) { > $plugin = $directory = null; > > if (is_array($type)) { > extract($type, EXTR_OVERWRITE); > } > > if (is_array($parent)) { > extract($parent, EXTR_OVERWRITE); > } > > The application suggests that in all instances where "extract" is used, to > use the argument 'EXTR_SKIP'. Since this would be in place of > EXTR_OVERWRITE I was wondering if this would cause any issues considering > this is the core and all... ??? Thoughts? Full explanation below > > *source - * > > *Recommendations:* > Prevent functions that can overwrite global variables from doing so in the > following ways: > > - Invoke mb_parse_str(string $encoded_string [, array &$result ]) with > the second argument, which captures the result of the operation and prevents > the function from overwriting global variables. > > - Invoke extract(array $var_array [, int $extract_type [, string > $prefix]]) with the second argument set to EXTR_SKIP, which prevents the > function from overwriting global variables that are already defined. > > Example 2: The following code uses a second argument to mb_parse_str() to > mitigate the vulnerability from Example 1. > > <?php > $first="User"; > ... > $str = $_SERVER['QUERY_STRING']; > mb_parse_str($str, $output); > echo $first; > ?> > > References: > > [1] CWE ID 473, Standards Mapping - Common Weakness Enumeration - (CWE) -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php