Print Page - Error in Error log?

Public area => Bug reports => The Pub => Archived fixes => Topic started by: Dismal Shadow on November 5th, 2012, 04:53 PM

Title: Error in Error log?
Post by: Dismal Shadow on November 5th, 2012, 04:53 PM

Don't know what triggered it. Counter is there.

Code: [Select]

http://localhost/Wedge/?action=admin;area=logs;sa=errorlog 
 8: Undefined index: app_error_count 
 File: C:/wamp/www/Wedge/Sources/ManageErrors.php
Line: 288

Title: Re: Error in Error log?
Post by: Nao on November 5th, 2012, 05:12 PM

I'm sure it's the kind of issue that can show up on a first install... I think.

Replace with line:

if (!isset($settings['app_error_count']) || ($settings['app_error_count'] != $sum))

Title: Re: Error in Error log?
Post by: Nao on January 13th, 2013, 12:53 AM

I've found the reason for the recent crashes when trying to view a file...
It only happens (to me) when trying to view a template. Just insert a random error in one of them and check it out...

So, the reason is rev 1829, where Pete fixed a 'directory traversal error', but I'm guessing not as thoroughly as hoped.
SMF does: if path has '../' in it, then if the path has both $boarddir and $sourcedir in it, send an error. I'm guessing the bug is related to having a requirement for BOTH..?
Wedge does: if realpath(path) has $boarddir or $sourcedir in it, then it's all right, otherwise send error. That is, it only accepts paths that are in the root, or in Sources. It no longer accepts templates etc.

I'll leave the fix up to you, Pete, since you wrote it in the first place and you'll be more comfortable dealing with it. Hopefully my bug report makes it easier for you to work on :)
Time for bed...

(Grmpf I still haven't found time to answer this SMF topic. And yes, I have no problems joining up with Pete on anything he's willing to do regarding either SMF or Wedge. We're pretty much in the same position and state of mind when it comes to these. Sorry for the off-topic...)

Title: Re: Error in Error log?
Post by: Arantor on January 13th, 2013, 01:03 AM

There's two consequences to SMF's original bug. The point of the ../ test is to prevent people going up and outside the SMF tree to view files, e.g. viewing non SMF files. Then the other test is to ensure that files requested are inside the SMF tree, either inside $boarddir or $sourcedir, as people can and do have the Sources dir outside webroot. The idea is that you need both tests to prevent people doing things like /home/user/smf/../../../etc/passwd - which would be fairly bad if it could be exploited. It can be... defeated... under certain circumstances which is a type of directory traversal.

There is a secondary bug that the Settings.php can be accessed by this, when it shouldn't.

I fixed it to force use of realpath to canonicalise everything so there's no ability to use ../ to escape anything. The thing is, on my localhost which uses current SVN, it works just fine. Is your $sourcedir outside of where $boarddir is?

Thing is, by definition $boarddir is the parent of templates and it should allow for that...?

Title: Re: Error in Error log?
Post by: Nao on January 13th, 2013, 12:15 PM

I explained myself incorrectly.

Basically, if I remove the first few elements of the test, which all evaluate to false, we find ourselves with:

if (strpos($file, $real_source) === false)
fatal_error(..)

Which evaluates to true for anything that is NOT in the Sources folder... (Even a root file will thus return an error, as opposed to what I said last night. It was very, very late for me...)
Hence the bug.

Also, it evaluates for $cachedir later in the line... Which doesn't make much sense to me..?! :edit: Oh yes it does, it ensures we shouldn't be trying to read a cache file...
Oh, and these extra brackets 'joining' the $boarddir and $sourcedir tests are weird and unneeded :P It really feels like a && test that became a || test and wasn't reprocessed entirely. Which is the case, but you know how much of a nazi I am for these things... :^^;:

Posted: January 13th, 2013, 09:51 AM

So, basically, I've rewritten it to this...

Code: [Select]

if (strrchr($basename, '.') != '.php' || $basename == 'settings.php' || $basename == 'settings_bak.php' || strpos($file, $cachedir) !== false || (strpos($file, realpath($boarddir)) === false && strpos($file, realpath($sourcedir)) === false) || !is_readable($file))

I'm putting all of the 'light' work ahead, then the longer operations (realpath and is_readable) at the end, only one realpath is done, except if $boarddir isn't found in the path, in which case another realpath is done against $sourcedir (in the unlikely case $sourcedir isn't part of the $boarddir path...), and that should be it.

At the very least, that line works on my setup. Is it okay if I commit this?

PS: obviously, the $realxxx initialization lines are removed. This is to avoid doing a realpath(), as fast (or slow) as they might be, when the tests aren't even used. Well, it's an obscure admin feature so the only thing that wasted time here is *me* actually, but whatever... :lol:

Posted: January 13th, 2013, 12:03 PM

Changed line to this...

Code: [Select]

if (strrchr($basename, '.') != '.php' || $basename == 'settings.php' || $basename == 'settings_bak.php' || (strpos($file, realpath($boarddir)) === false && strpos($file, realpath($sourcedir)) === false) || strpos($file, realpath($cachedir)) !== false || !is_readable($file))

I'm pretty sure people would want to protect against root_forum/Sources/../cache/randomname.php ;)

Although I don't really see how they could reach a critical cache file with a random filename, but whatever...!

Title: Re: Error in Error log?
Post by: Nao on January 15th, 2013, 05:01 PM

Bump before I commit this along with my other changes...

Title: Re: Error in Error log?
Post by: Arantor on January 15th, 2013, 05:10 PM

I thought you already had committed it (hadn't checked, head elsewhere)

If it works and doesn't allow people to retrieve any files outside the installation and doesn't allow accessing Settings.php or Settings_bak.php, I'm fine with it.

Title: Re: Error in Error log?
Post by: Nao on January 15th, 2013, 05:26 PM

Quote from Arantor on January 15th, 2013, 05:10 PM

I thought you already had committed it (hadn't checked, head elsewhere)

I don't commit a lot these days, I tend to do batches... I've got a batch in the works right now, and would like to commit it tonight at the latest.
Currently banging my head over the wall regarding the outline color of the Android icon... White doesn't look good, black is worse, gray lacks detail... And I start editing it to give it white eyes and gray outlines, I'll end up with a file that's over 98 bytes in size, and I don't like it... :^^;:

Quote

If it works and doesn't allow people to retrieve any files outside the installation and doesn't allow accessing Settings.php or Settings_bak.php, I'm fine with it.

From my understanding, that code is secure and from my testing, it works.
You might want to double-check its safety aspects, though...

Title: Re: Error in Error log?
Post by: Arantor on January 15th, 2013, 05:44 PM

Eh, commit it, and if it's dodgy, it'll get fixed. Seems fine to me though.

Title: Re: Error in Error log?
Post by: Nao on January 15th, 2013, 06:45 PM

'kay!