[CK-Ledger-users] Re: [Phpgroupware-developers] Testing CK-Ledger v.0.7.1 against phpgroupware-0.9.16.RC1

[Dave H. <dav...@mb...>]

C=3D20K=3D20Wu =3Cchiukay2000=40yahoo=2Ecom=2Ehk=3E wrote=3A

=3E Hi=2C Dave=2C
=3E =

=3E Thank you for spotting the security flaw=2E  I=27ll
=3E certainly tighten up security further=2E  =


No problem=2E  Good to hear =3A)

=3E At the same
=3E time=2C =27=3D=27 within the GET value string is a general
=3E problem=2E  Any unstructured GET value string has the
=3E potential of including a =27=3D=27 char=2C thus causing
=3E problem to the callee script=2E  Actually=2C this =27=3D=27
=3E problem could easily be rectified=2E  Instead of a
=3E general =27split=27=2C class=2Esessions=2Einc=2Ephp could simply
=3E pick on the 1st =27=3D=27 char and assign the pre-=27=3D=27 string
=3E to GET arg and the post-=27=3D=27 string to GET value=2E =

=3E However=2C the =27=26=27 char could be much more difficult=2E  A
=3E double urlencode/decode seems to be the easiest
=3E solution=2E
=3E =

=3E Any thoughts =3F

Pass the =24extravars arg of the link() method an array=2C not a string=2E=
 =

That is how it is designed to be used=2E  So then =3D and =26 are properl=
y
encoded=2C along with all other values=2E  I this is a little bit of work=
=2C
but it will make it run faster=2C as no explode()ing is done on the
=24extravars variable within the link() method=2C it just url=5Fencode()s=
 it=2E

Hope this helps

Cheers

Dave

=3E =

=3E Cheers=2C
=3E CK
=3E =

=3E =

=3E Dave Hall =3A
=3E =

=3E =3EC K Wu =3Cchiukay2000=40yahoo=2Ecom=2Ehk=3E wrote=3A
=3E =3E
=3E =3E=3EHello=2C folks=2C
=3E =3E=3E
=3E =3E=3EMe again=2E  There is some further complication with
=3E the
=3E =3E=3Eurlencode/decode thing=2E
=3E =3E=3E
=3E =3E=3EIn =2E=2E=2E/phpgwapi/inc/class=2Esessions=2Einc=2Ephp=2C aroun=
d
=3E =3E=3Eline 1145=2C the code reads=2C
=3E =3E=3E
=3E =3E=3E/* Now we process the extravars into a proper url
=3E =3E=3Eformat */
=3E =3E=3E/* if its not an array=2C then we turn it into one */
=3E =3E=3E/* We do this to help prevent any duplicates from
=3E =3E=3Ebeing sent=2E */
=3E =3E=3Eif (!is=5Farray(=24extravars) =26=26 =24extravars !=3D =27=27)
=3E =3E=3E=7B
=3E =3E=3E   =24a =3D explode(=27=26=27=2C =24extravars)=3B
=3E =3E=3E   =24i =3D 0=3B
=3E =3E=3E   while (=24i =3C count(=24a))
=3E =3E=3E   =7B
=3E =3E=3E       =24b =3D split(=27=3D=27=2C =24a=5B=24i=5D)=3B
=3E =3E=3E       =24new=5Fextravars=5B=24b=5B0=5D=5D =3D =24b=5B1=5D=3B
=3E =3E=3E       =24i++=3B
=3E =3E=3E   =7D
=3E =3E=3E   =24extravars =3D =24new=5Fextravars=3B
=3E =3E=3E   unset(=24new=5Fextravars)=3B
=3E =3E=3E=7D
=3E =3E=3E
=3E =3E=3EApparently=2C =27=3D=27 is used as the GET argument/value
=3E =3E=3Eseparator=2E  However=2C if there is a second =27=3D=27 in
=3E =3E=3E=24a=5B=24i=5D=2C the value part will be truncated=2E  This is
=3E the
=3E =3E=3Ecase when an SQL is passed from script to script as
=3E =3E=3EGET value=2E  In my case=2C the raw GET string looks
=3E like
=3E =3E=3Ethis=2C
=3E =3E=3E
=3E =3E=3E=22filter=3D WHERE substring(source=2C1=2C2)=3D=27GD=27=22
=3E =3E=3E
=3E =3E=3Eso the callee script only recovers =24filter as =22WHERE
=3E =3E=3Esubstring(source=2C1=2C2)=22
=3E =3E
=3E =3E
=3E =3EHmmmm=2E  I would argue that passing SQL via GET or
=3E even POST is very poor
=3E =3Esecurity=2C and so it is good that this breaks=2E  Also
=3E the =24extravars=2C as
=3E =3Eshown in the code should be an array as it is faster
=3E for process=2C no
=3E =3Eexplode() needed =3A)
=3E =3E
=3E =

=3E =

=3E =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F
=3E =B3=CC=B7s=B9a=C1n=B1=C0=A4=B6=3A=B9J=A8=A3=A1A=B6=C3=A5=40=A8=CE=A4H=
=A1A=B0=B2=A6p=B7R=A6=B3=A4=D1=B7N=2E=2E=2E
=3E http=3A//ringtone=2Eyahoo=2Ecom=2Ehk
=3E =

=3E