Menu
▾
▴
Re: [GeSHi-devel] Workaround for PHP HTML Entity Encoder Heap Overflow Vulnerability
|
From: Marjolein K. <jav...@wi...> - 2007-02-20 09:39:42
|
As promised, here's an update: I committed our main class with the new function added after exercising it a bit (but not much can go wrong, it's quite straightforward). Function is not implemented yet here, just added. More here: - http://wush.net/trac/wikka/ticket/427#comment:8 (latest comment on the issue) - http://wush.net/trac/wikka/changeset/317 (changeset, ignore the few typographical tweaks before line 457) - click through on the source link 'trunk/libs/Wakka.class.php' and you get the full source; function starts at line 457 Cheers, At 19:49 2007-02-19, Marjolein Katsma wrote: >Hi all, > >First time on this list, invited by BenBE. >I'm on the development team for Wikka Wiki (http://wikkawiki.org), which >uses GeSHi as a 3rd-party plugin for syntax highlighting in code blocks. > >A few days ago, I was alerted to a vulnerability in PHP which was reported >at the start of November 2006, which Secunia classified as "highly >critical". The vulnerability (potential buffer overflow) was found in >htmlentities() and htmlspecialchars(). PHP released a patch for version 5.x >(5.2.0) the next day but never released a patch for version 4.x - 4.4.5 was >released since but its release notes do not make any mention of a fix for >this problem. > >See my more extensive write-up at >http://wush.net/trac/wikka/ticket/427 which includes references to the >reports. > >On analyzing our code, I found no use of htmlentities() (in fact we should >not use it since we generate XHTML-compliant code), but we do use >htmlspecialchars() and I also found that geshi.php makes extensive use of it. > >I intend to make a small function that can replace PHP's htmlspecialchars() >- today or tomorrow. (I'm not looking at htmlentities since we don't use >that anyway and GeSHi 1.0.7.17 doesn't either.) I understand Ben was >planning a fix for GeSHi; in order to avoid duplicate effort you'll of >course be welcome to use our replacement function (once I've written it :)) >- after all, that's what open source is for! > >I'll let you know when I have a replacement in place. > >Cheers, > >-- >JavaWoman >Web Standards Compliance Officer, Wikka Development Crew >http://wikkawiki.org/JavaWoman >Skype: callto://goneagain > > >------------------------------------------------------------------------- >Take Surveys. Earn Cash. Influence the Future of IT >Join SourceForge.net's Techsay panel and you'll get the chance to share your >opinions on IT & business topics through brief surveys-and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >_______________________________________________ >geshi-devel mailing list >ges...@li... >https://lists.sourceforge.net/lists/listinfo/geshi-devel -- JavaWoman Web Standards Compliance Officer, Wikka Development Crew http://wikkawiki.org/JavaWoman Skype: callto://goneagain |