Menu
▾
▴
[GeSHi-devel] Workaround for PHP HTML Entity Encoder Heap Overflow Vulnerability
|
From: Marjolein K. <jav...@wi...> - 2007-02-19 18:49:54
|
Hi all, First time on this list, invited by BenBE. I'm on the development team for Wikka Wiki (http://wikkawiki.org), which uses GeSHi as a 3rd-party plugin for syntax highlighting in code blocks. A few days ago, I was alerted to a vulnerability in PHP which was reported at the start of November 2006, which Secunia classified as "highly critical". The vulnerability (potential buffer overflow) was found in htmlentities() and htmlspecialchars(). PHP released a patch for version 5.x (5.2.0) the next day but never released a patch for version 4.x - 4.4.5 was released since but its release notes do not make any mention of a fix for this problem. See my more extensive write-up at http://wush.net/trac/wikka/ticket/427 which includes references to the reports. On analyzing our code, I found no use of htmlentities() (in fact we should not use it since we generate XHTML-compliant code), but we do use htmlspecialchars() and I also found that geshi.php makes extensive use of it. I intend to make a small function that can replace PHP's htmlspecialchars() - today or tomorrow. (I'm not looking at htmlentities since we don't use that anyway and GeSHi 1.0.7.17 doesn't either.) I understand Ben was planning a fix for GeSHi; in order to avoid duplicate effort you'll of course be welcome to use our replacement function (once I've written it :)) - after all, that's what open source is for! I'll let you know when I have a replacement in place. Cheers, -- JavaWoman Web Standards Compliance Officer, Wikka Development Crew http://wikkawiki.org/JavaWoman Skype: callto://goneagain |