Problem/Motivation

After #2508735: Code injection via preg_replace() the special characters in machine name input field are not longer replaced properly.
The preg_quote() addition in MachineNameController::transliterate() seems to create some troubles with the regular expressions and prevents preg_replace() to do its job.
If you fill the name field with a dirty string the machine name this is the result

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

CommentFileSizeAuthor
#24 increment.txt1.13 KBpwolanin
#24 2525870-24.patch2.38 KBpwolanin
#20 2525870-20.patch2.23 KBwillzyx
#20 interdiff.txt1.87 KBwillzyx
#17 interdiff.txt1.78 KBwillzyx
#17 2525870-17.patch2.21 KBwillzyx
#11 increment.txt1.9 KBpwolanin
#11 2525870-11.patch1.92 KBpwolanin
#8 increment.txt837 bytespwolanin
#8 2525870-8.patch1.73 KBpwolanin
#1 machine_name_inputs_not-2525870-1.patch930 byteswillzyx
machine-name.jpg19.95 KBwillzyx
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

willzyx’s picture

willzyx CreditAttribution: willzyx commented
FileSize
machine_name_inputs_not-2525870-1.patch930 bytes

First, tests should fail. Add some real world cases to MachineNameControllerTest::providerTestMachineNameController() is a good idea

Status: Needs review » Needs work

The last submitted patch, 1: machine_name_inputs_not-2525870-1.patch, failed testing.

willzyx’s picture

willzyx CreditAttribution: willzyx commented
Version: 8.1.x-dev » 8.0.x-dev
Status: Needs work » Needs review

wrong branch..

willzyx queued 1: machine_name_inputs_not-2525870-1.patch for re-testing.

cilefen’s picture

cilefen CreditAttribution: cilefen commented
Title: machine name inputs not longer work properly after #2508735 » Regression: machine name inputs not longer work properly after #2508735
Related issues: +#2508735: Code injection via preg_replace()
cilefen’s picture

cilefen CreditAttribution: cilefen commented
Title: Regression: machine name inputs not longer work properly after #2508735 » Regression: machine name inputs no longer work properly after #2508735
pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer and at Acquia commented

Ah, hmm - so we should not have used preg_quote() perhaps, but just have quoted the pattern delimiter?

pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer commented
Priority: Normal » Major
FileSize
2525870-8.patch1.73 KB
increment.txt837 bytes

I think this would fix the bug?

willzyx’s picture

willzyx CreditAttribution: willzyx commented

oh probably it does but I think we need to improve a bit the test and add more real-world cases

The last submitted patch, 1: machine_name_inputs_not-2525870-1.patch, failed testing.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer commented
FileSize
2525870-11.patch1.92 KB
increment.txt1.9 KB

Possibly a more robust fix, plus one more test case.

Fabianx’s picture

Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commented

Why do we allow user-input for that anyway?

Is there not just a fixed list of possible patterns that could be managed by a pattern manager or such?

pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer commented

@Fabianx - I'm not sure - it doess seem overly flexible. So I think we need to fix the regression here quickly and then actually fix the code better.

Fabianx’s picture

Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commented
Status: Needs review » Needs work

Could we at least add some test cases using '@' and '\0' to the list?

It is making me nervous to change a security critical bug to something else without testing that it regresses.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer commented

I added one with "@" already.

Fabianx’s picture

Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commented

No, I mean for the replace_pattern ...

willzyx’s picture

willzyx CreditAttribution: willzyx commented
Status: Needs work » Needs review
FileSize
2525870-17.patch2.21 KB
interdiff.txt1.78 KB

Added a test with \e and a test with @ in replace_pattern.

Fabianx’s picture

Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commented
Status: Needs review » Reviewed & tested by the community

RTBC, that should be fine for now.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer commented
Status: Reviewed & tested by the community » Needs work

hmm, no - the \0 is in single quotes, so it's not actually a null byte in the pattern.

willzyx’s picture

willzyx CreditAttribution: willzyx commented
Status: Needs work » Needs review
FileSize
interdiff.txt1.87 KB
2525870-20.patch2.23 KB

The tests that I added for null byte in #17 was wrong. The null byte should be in replace_pattern, not in text.
Added some comments and taken in account #17.

Fabianx’s picture

Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commented

#20: Note, testing those is very very fast, I would rather have a few more lines added here, than to just add 3 new ones.

I think you can just merge your new examples with the old patch.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer commented

The null byte should indeed be in the replace pattern to simulate an attack. It's not clear to me that that added test case would alert us to the vuln, however.

Trying to test locally, I actually see that I can't make it fail on 5.4, since PHP added protection against NULL bytes in the regex pattern in 5.4 itself. e.g. see:

https://github.com/php/php-src/blob/PHP-5.4/ext/pcre/tests/null_bytes.phpt
http://stackoverflow.com/questions/21842773/php-is-this-a-safe-way-to-al...

Fabianx’s picture

Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commented

I found in the SO link:

"The null-byte protection actually is necessary. PHP only checks for null bytes before the ending delimiter. – Xeoncross Feb 18 '14 at 17:06"

pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer commented
Status: Needs review » Reviewed & tested by the community
FileSize
2525870-24.patch2.38 KB
increment.txt1.13 KB

trying harder to verify code is not called - the bogus call fail() would fatal.

Fabianx’s picture

Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commented

RTBC - if green.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick at Acquia commented
Status: Reviewed & tested by the community » Fixed

Nice catch. Thanks for the expanded test coverage, too!

Committed and pushed to 8.0.x. Thanks!

  • webchick committed 227f243 on 8.0.x 
    Issue #2525870 by pwolanin, willzyx, Fabianx: Regression: machine name...

  • xjm committed ccfc649 on 8.0.x 
    Issue #2525870 by pwolanin, willzyx, Fabianx: Regression: machine name...
xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Status: Fixed » Reviewed & tested by the community

The patch for this issue wasn't actually committed -- https://www.drupal.org/commitlog/commit/2/227f243a901d12200ed69cf7470471... is actually the patch from #2527638: MigrateDrupal7TestBase never installs Drupal 7 migrations a second time. Oops! I've committed and pushed #24 now for realsies.

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Status: Reviewed & tested by the community » Fixed

Er.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.