The Problem With 'extract'

In news over the weekend, Stefan Esser over on the PHP Security Blog wrote up a strong criticism of the new article 10 Tips That Every PHP Developer Should Know, Part 2 (part of a two part series).

Apart from the fact the article’s author Jeffery Vaska can’t seem to count to ten (thanks Jules for spotting that), the article contains some dubious advice as far as Stefan is concerned, and he exception to one tip in particular, tip 5 (the second tip 5; we’re genorously given two tips labelled ‘tip 5′) which explains the use of the extract language construct to extract the contents of the $_POST variable to local variables.

From Stefan:

using extract() without using prefixes or the parameter EXTR_SKIP is usually a very big security hole, because it allows an external attacker to overwrite every variable, including the superglobals (unless you use the Hardening-Patch) and this can lead in many cases to SQL injection or even Remote Code Execution Vulnerabilities

It is relatively common for PHP applications to use variables uninitialized (one reason why debugging with notices on is a good idea). If you refer to a variable $username without initializing it beforehand, you may be wrongfully assuming that its initial value will be null. extract, like register_globals can falsify that assumption, allowing the variable $username to be initialised by end users. In short, it’s just like turning register_globals on again. extract can be used securely and therefore is not a security problem in itself, but can be lethal to your security in combination with any number of other sloppy coding practices.

In my eyes, the biggest problem with extract and also the biggest reason it is a security risk is actually that extract makes code so hard to read and debug. Try maintaining some code where somebody has used extract and you’re likely to find yourself yelling ‘Where does this variable come from?!’ Variables appear to materialize out of thin air. Consider the following.


// see if the user is authorised

$details = $this->getuserdetails();

extract($details);

if ($access[$accesszone]) $this->authorise();

Where did $access and $accesszone come from? Voodoo!

In my opinion it is confusing code practices such as this which lead to real problems in the overall security of code. The harder code is to read, the harder it is to debug or review and the easier it is to inadvertantly introduce security holes.

Replay

Category: programming Time: 2005-08-15 Views: 1
Tags:

Related post

  • The Problem with CSS is ... 2008-10-22

    I'm a visionary. I'm ahead of my time. Trouble is, I'm only about an hour and a half ahead. – George Carlin The problem with CSS is that CSS is too hard. There. We got that out of the way easily enough, didn't we? You can skip to Chapter 2 now of the

  • What is the problem with using Fedora for servers? 2009-07-14

    I have used Fedora for hosting servers a lot of times. I have never faced any problem. Still all the new users come and tell Fedora is not secure. We should use Ubuntu / CentOS or some other distribution but not Fedora. I never understand what is the

  • The problem with AvantBrowser 2010-08-05

    Can .exe and .msi files (Windows software) be installed in Ubuntu? --------------Solutions------------- You can if you first install the Wine compatibility layer from the Software Center, you can install Windows applications in Ubuntu. Be warned thou

  • What is the problem with chain hashing? 2012-01-31

    Let's say that my password is a single character: "a". Couldn't I chain hash it 1000 (or more) times and make it nearly invulnerable to rainbow table attacks and brute force? Why isn't this preferred to salting and what are the problems with thi

  • What is the problem with characters and in PDF display? 2012-03-13

    Possible Duplicate: Include < and > symbol Why when I create pdf in texlive with pdflatex, the characters < and > are displayed as inverted ! and ?, respectively. However, when I copy/past them, they are OK. What is the problem with PDF displa

  • E: Sub-process /usr/bin/dpkg returned an error code (2) - whats the problem with this? 2012-05-19

    I have been running Ubuntu 12.04 for the past few weeks. I recently tried to download and install some files through the Update Manager. It located a few files, downloaded them, but then failed to install them. It gave the error: installArchives() fa

  • What are the problems with bring-your-own-device related to smartphones? 2012-09-07

    What are the problems with bring-your-own-device related to smartphones? Companies see this more and more everyday, people want to use their personal devices on the corporate network or even use them to work. Because these are personal devices, an ad

  • May the problem with DES using OFB mode be generalized for all feistel ciphers 2013-04-08

    There is a problem with using DES as the block cipher in OFB mode, eg: the feedback that goes back into the next round will be encrypted with the same key $k$ resulting back into the plaintext IV used in the first round, and this goes on and on until

  • What is the problem with the polygon? Getting a *"found non-noded intersection"* exception error 2013-05-02

    I am working on a GIS program in which I needed to find the difference between the two polygons so, I decided to used NetTopologySuite (NTS) to find the difference. It seems to be working on some of the polygons and on some it is not working at all,

  • What is the problem with my point and shoot camera? 2013-08-06

    This question already has an answer here: Why do images get "corrupted"? 6 answers I have a Nikon coolpix s6300 ,Every time I took some photos ,some photos must be destroyed , It looks like this: I use a class 4 sony 4 GB memory card . My camera

  • Advise finding the problem with the search crawler 2013-10-17

    I have just setup an instance of Sharepoint 2013 foundation and created a new site with a couple files on it, the problem is that that the search service always reports "Searchable Items: 0", I'm new to sharepoint and tried to look at the log fi

  • have the problem with mydns on CentOS 5.3 x86_64 2014-02-01

    Hello everybody, I setup my box running CentOS 5.3 x86_64 using tutorial ISPConfig 3 on CentOS 5.2 at link http://www.howtoforge.com/perfect-server-centos-5.2-ispconfig-3 I have no problem when finishing my setup. Code: "lib/install.lib.php" 586

  • What is the problem with multiple encryption and how do you know if you have decrypted a cipher? 2014-04-25

    I have 2 questions that are somewhat related: 1. When you try and guess the key in a program (in a brute force way), how does the program know if it got it right and it had deciphered the message (I'm not talking about the obvious files with headers,

  • What might be the problem with the authorization of my laptop while syncing the iPhone? 2014-06-22

    I tried to sync music onto my iPhone using iTunes. The process was halted by a dialog box that said my computer wasn't authorized to sync the iPhone, so I have to authorize it. I did that and again tried to sync the iPhone, but the dialog box appears

  • Can i restore the backup directly from pc . without enabling debud mode- or how can i fix the problem with black screen 2015-04-06

    my device is totally bricked after flashing stock rom with sp flash tool .. it start up with start sound but display show black everything else work well but display is the problem .. i have CWM backup of my own phone and i have scatter file too .. p

  • The problems with my hosting 2015-05-26

    I have the website with the domain name http://websitegoogle.info. I have used the joomla for my website. And now i don't know why the website don't have run correctly. I just new comer plz help me! --------------Solutions------------- this looks lik

  • What are the problems with uploading client-side encrypted keys to keybase.io? 2015-12-31

    I was just reading some articles about keybase.io: http://www.makeuseof.com/tag/keybase-wants-bring-encryption-masses-heres/ http://blog.lizdenys.com/2014/03/31/refusing-to-verify-myself/ And I'm confused about this statement: I really hope you didn'

  • Problem with extracting specific contour from a ContourPlot 2013-05-18

    I am trying to exctract contours of specific value (2.6*10^-6) out of a ContourPlot and measure their area. Below you can see the code. It is noticable that not all of the relevant contours showed in the left plot are shown on the right one as well.

  • What's the problem with this script to change wallpaper? 2013-10-07

    I'm very new to Linux's world, so I would ask to forgive me for every stupid or too simple thing I will ask now. I installed Elementary OS from their website just yesterday. I wanted to change my wallpaper automatically with Bing's wallpaper, so I fo

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development

search

Front-end development

Database

development tools

Open Platform

Javascript development

.NET development

cloud computing

server

Copyright (C) avrocks.com, All Rights Reserved.

processed in 2.499 (s). 13 q(s)