From: dewi at morganalley dot com
Operating system: all
PHP version: 5.0.5
PHP Bug Type: Feature/Change Request
Bug description: security flaw in parse_ini_file
Description:
------------
A PHP parse_ini_file() security gotcha.
The auto-expansion of unquoted string values to constants is a problem,
both for strings like 'none', 'true', 'false', 'yes', 'no', 'on', 'off'
(where it can cause unexpected behaviour), and most importantly, for named
constants.
This can cause security issues, in situations where untrusted users are
allowed to create ini files.
eg: you allow untrusted users to create ini files, with values for name,
password, and description. Your script holds its own database password in
a constant "DB_PASS". If the user sets their description to the unquoted
value DB_PASS, your application will display its password where normally
it would display their description.
You can avoid this when creating ini files automatically, if you ALWAYS
quote your string values, and ALWAYS check that numerics are truly
numeric.
But you can't avoid it with user-provided ini files without pre-parsing
them beforehand looking for unquoted string values, or rolling your own
version of this function.
For this function to remain secure with user-provided ini files, I request
an extra, optional boolean parameter, to disable expansion of constants.
Reproduce code:
---------------
Ini file, "user_provided.ini":
desc = DB_PASS
PHP file:
<?php
define('DB_PASS', 'ungue55able_pa55word');
$user = parse_ini_file("user_provided.ini");
# Reasonable steps to ensure user-provided data is "safe" to display.
if (empty($user['desc'])) { die("Bad ini file."); }
$safe_desc = htmlspecialchars($user['desc']);
# Despite that, we print out insecure info if we use the ini file above.
echo "<p>Your description is: $safe_desc</p>\n";
?>
Expected result:
----------------
Despite reasonable checking to ensure that there is nothing "naughty" in
the provided ini file, the user's description will still contain
supposedly secure data: the script's database password.
Actual result:
--------------
<p>Your description is: ungue55able_pa55word</p>
--
Edit bug report at http://bugs.php.net/?id=34949&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=34949&r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=34949&r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=34949&r=trysnapshot51
Fixed in CVS: http://bugs.php.net/fix.php?id=34949&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=34949&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=34949&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=34949&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=34949&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=34949&r=support
Expected behavior: http://bugs.php.net/fix.php?id=34949&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=34949&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=34949&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=34949&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=34949&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=34949&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=34949&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=34949&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=34949&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=34949&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=34949&r=mysqlcfg
