#34949 [Opn->Fbk]: security flaw in parse_ini_file

tony2001 Fri, 21 Oct 2005 10:55:24 -0700

 ID:               34949
 Updated by:       [EMAIL PROTECTED]
 Reported By:      dewi at morganalley dot com
-Status:           Open
+Status:           Feedback
 Bug Type:         Feature/Change Request
 Operating System: all
 PHP Version:      5.0.5
 New Comment:


So you consider get_defined_constants() and just "echo DB_PASS;" as
dangerous too, right?
Don't you think that allowing to execute any code to users is the
source of the problem?



Previous Comments:
------------------------------------------------------------------------

[2005-10-21 19:40:52] dewi at morganalley dot com

Description:
------------
A PHP parse_ini_file() security gotcha.

The auto-expansion of unquoted string values to constants is a problem,
both for strings like 'none', 'true', 'false', 'yes', 'no', 'on', 'off'
(where it can cause unexpected behaviour), and most importantly, for
named constants.

This can cause security issues, in situations where untrusted users are
allowed to create ini files.

eg: you allow untrusted users to create ini files, with values for
name, password, and description. Your script holds its own database
password in a constant "DB_PASS". If the user sets their description to
the unquoted value DB_PASS, your application will display its password
where normally it would display their description.

You can avoid this when creating ini files automatically, if you ALWAYS
quote your string values, and ALWAYS check that numerics are truly
numeric.

But you can't avoid it with user-provided ini files without pre-parsing
them beforehand looking for unquoted string values, or rolling your own
version of this function.

For this function to remain secure with user-provided ini files, I
request an extra, optional boolean parameter, to disable expansion of
constants.


Reproduce code:
---------------
Ini file, "user_provided.ini":
desc = DB_PASS

PHP file:
<?php
define('DB_PASS', 'ungue55able_pa55word');
$user = parse_ini_file("user_provided.ini");

# Reasonable steps to ensure user-provided data is "safe" to display.
if (empty($user['desc'])) { die("Bad ini file."); }
$safe_desc = htmlspecialchars($user['desc']);

# Despite that, we print out insecure info if we use the ini file
above.
echo "<p>Your description is: $safe_desc</p>\n";
?>


Expected result:
----------------
Despite reasonable checking to ensure that there is nothing "naughty"
in the provided ini file, the user's description will still contain
supposedly secure data: the script's database password.

Actual result:
--------------
<p>Your description is: ungue55able_pa55word</p>


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=34949&edit=1

#34949 [Opn->Fbk]: security flaw in parse_ini_file

Reply via email to