phpwiki-talk

[Phpwiki-talk] possible cache corruption in lib/WikiDB.php

[Charles C. <ch...@ru...>]

I am looking into the security problems that I (and others) have reported
with security (owners, permissions) on pages when using a MySQL database.

The specific test case that I have is
pre-condition - brand new/freshly created database
1 - login as administrator
2 - go to /PhpWikiAdministration/Chown
3 - select page RichTablePlugin (as it is owned by ReiniUrban and not by
the administrator)
4 - click "Chown Selected Pages"
5 - confirm
6 - go to /RichTablePlugin to see that the owner has been changed
7 - go back to /PhpWikiAdministration/Chown and see that RichTablePlugin
is apparently owned by ReiniUrban
8 - go to /RichTablePlugin to see that RichTablePlugin is apparently owned
by the administrator
9 - go back to /PhpWikiAdministration/Chown change the owner of
RichTablePlugin to the administrator again - but this time nothing happens

It appears that during the population of the cache with all of the pages
for the PageList, the cache or the intermediate data that is put into the
cache is corrupted, somewhere between
    WikiDB_cache->get_versiondata() - line 2051
and the return from this into
    WikiDB_page->getRevision() - line 1123

I am using the dbg debugger under phpeclipse so the specific location of
the error report may be an artefact of the tools that I am using. 
However, I have repeated this test case in several different environments
with different versions of php, apache and mysql, running both on Unix and
on Windows.

regards,
Charles

Re: [Phpwiki-talk] possible cache corruption in lib/WikiDB.php

[Reini U. <ru...@x-...>]

Charles Corrigan schrieb:
> I am looking into the security problems that I (and others) have reported
> with security (owners, permissions) on pages when using a MySQL database.
> 
> The specific test case that I have is
> pre-condition - brand new/freshly created database
> 1 - login as administrator
> 2 - go to /PhpWikiAdministration/Chown
> 3 - select page RichTablePlugin (as it is owned by ReiniUrban and not by
> the administrator)
> 4 - click "Chown Selected Pages"
> 5 - confirm
> 6 - go to /RichTablePlugin to see that the owner has been changed
> 7 - go back to /PhpWikiAdministration/Chown and see that RichTablePlugin
> is apparently owned by ReiniUrban
> 8 - go to /RichTablePlugin to see that RichTablePlugin is apparently owned
> by the administrator
> 9 - go back to /PhpWikiAdministration/Chown change the owner of
> RichTablePlugin to the administrator again - but this time nothing happens
> 
> It appears that during the population of the cache with all of the pages
> for the PageList, the cache or the intermediate data that is put into the
> cache is corrupted, somewhere between
>     WikiDB_cache->get_versiondata() - line 2051
> and the return from this into
>     WikiDB_page->getRevision() - line 1123
> 
> I am using the dbg debugger under phpeclipse so the specific location of
> the error report may be an artefact of the tools that I am using. 
> However, I have repeated this test case in several different environments
> with different versions of php, apache and mysql, running both on Unix and
> on Windows.

yep, I know. It's on my todo list also.

* pagedata_cache on PageGroupTest/subpage
   wrong PhpWikiAdmin/Chown owner display

Maybe you'll find it. I'm quite busy with another project.

-- 
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/

[Phpwiki-talk] Re: possible cache corruption in lib/WikiDB.php

[Charles C. <ch...@ru...>]

On Thu, January 13, 2005 20:29, Charles Corrigan said:

> It appears that during the population of the cache with all of the pages
> for the PageList, the cache or the intermediate data that is put into the
> cache is corrupted, somewhere between
>     WikiDB_cache->get_versiondata() - line 2051
> and the return from this into
>     WikiDB_page->getRevision() - line 1123

OK, found something. But I do not understand it.

in lib/WikiDB.php, line 2056, WikiDB_cache->get_versiondata()
==============================
if ($vdata && !empty($vdata['%pagedata'])) {
    $this->_pagedata_cache[$pagename] =& $vdata['%pagedata']; // BUG HERE
}
return $vdata;
==============================
To my understanding, this looks like completely legitimate PHP code. 
However, it _appears_ that the php dictionary goes haywire/gets corrupted
at this line (I am a php newbie so I am hesitant to state that it is a bug
in php unless an expert can back me up).

It is possible that my output is messed up by the the DBG tool but it
appears to be consistent and would explain the problems that I am seeing.
For example, when opening /PhpWikiAdministration/Chown, the cache is
filled with all of the pages in the database.  It goes wrong in exactly
the same place each time.

I have not yet managed to get everyting setup correctly to debug under
xdebug which might give better understanding of the problem. Until I get
that sorted out, I am stuck.

regards,
Charles