[dokuwiki] Re: Fwd: DokuWiki - Full path disclosure

  • From: Michael Hamann <michael@xxxxxxxxxxxxxxxx>
  • To: dokuwiki@xxxxxxxxxxxxx
  • Date: Sun, 24 Jun 2012 12:35:54 +0200

Hi,

2012/6/24 Andreas Gohr <andi@xxxxxxxxxxxxxx>:
> I just got this report and wondering how to deal with it.The specified
> problem can easily be fixed with a cast to string, but I guess we have
> a bunch of other parameters as well that might cause warnings when
> filled with a wrong parameter type...

There are also other possibilities to cause warnings in DokuWiki, e.g.
http://bugs.dokuwiki.org/index.php?do=details&task_id=2432 - so I
think if we really want to fix that warnings are displayed this
involves more than just checking parameters with wrong type. Maybe we
should also point in the installation documentation to
http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors
which clearly states that display_errors should be disabled in
production systems, i.e. when warnings are displayed and disclose
information in production systems, this is not really a problem of
DokuWiki but the PHP configuration (nevertheless I think we should fix
warnings).

> Does anyone have a suggestion how to fix this at other places as well,
> in a systematic manner? Would be grepping for _POST, _REQUEST, _GET to
> build a list of all user inputs be a good idea? Then making sure each
> of them can only contain the right type by going through the list?

It would be a start and definitely eliminate the current problem,
however I have the impression that this problem also concerns some
plugins from looking at the output of a quick search in the plugins I
have installed here so just having a list of the parameters used in
core code doesn't solve the whole problem. We could also put the
cleaned parameters in some globally accessible data structure in order
to make it easier to see which parameters have been cleaned (otherwise
it might be easy to miss a parameter).

> Any better ideas?

I don't know if it is really better, but we could introduce some
wrapper around _POST, _REQUEST, _GET etc. which takes as arguments the
name of the parameter, the method (get, post, any) and the expected
type, i.e. string, array, string_array (for an array of strings) and
mixed for cases when the check is done by the caller (just as
suggestion, we could also add other types that are frequently needed).
That way we could also check if the parameter is set at all and
eliminate some more notices without adding additional code in every
place where a parameter is read and also plugins could easily check
their parameters that way.

Michael
-- 
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist

Other related posts: