Keyword filter: variable executed as function, security issue?

Created on 23 November 2020, over 4 years ago

Updated 13 October 2024, 5 months ago

Problem/Motivation

In the method match() a variable is executed as function:

  /**
   * Determines whether we get a keyword filter match.
   */
  protected function match($match_func, $field, array $word_list) {
    foreach ($word_list as $word) {
      if ($match_func == "matchRegex") {
        if ($this->$match_func($field, $word) !== FALSE) {
          return TRUE;
        }
      }
      elseif ($match_func($field, $word) !== FALSE) {
        return TRUE;
      }
    }

    return FALSE;
  }

I'm not sure, but I think this could be a security issue. The function to call can be changed in the config YML file:

      34cc0f9f-516e-4f63-8dd5-8e204bc7bc4b:
        words: ''
        word_boundaries: false
        exact: false
        case_sensitive: false
        invert: false
        word_list:
          - ''
        regex: false
        function: mb_stripos
        plugin: keyword_filter
        source: titel
        weight: 1
        label: 'Keyword filter'
        uuid: 34cc0f9f-516e-4f63-8dd5-8e204bc7bc4b

See function: mb_stripos

Looking at the code, I think there's no need to save the function to call. The function to call is now determined in ::validateConfigurationForm():

$setting_function = 'matchRegex';
...
elseif (!$word_boundaries && $case_sensitive) {
  $setting_function = $is_multibyte ? 'mb_strpos' : 'strpos';
}
elseif (!$word_boundaries && !$case_sensitive) {
  $setting_function = $is_multibyte ? 'mb_stripos' : 'stripos';
}

I think this check can also be done in ::tamper().

Steps to reproduce

Proposed resolution

Remove the configuration for "function" and determine which function to call in ::tamper().

Perhaps a switch statement can be used in ::tamper()? Something like this:

switch (TRUE) {
  case !$word_boundaries && $case_sensitive && $is_multibyte:
    if (mb_strpos($field, $word) !== FALSE) {
      return TRUE;
    }
    break;
}

Remaining tasks

Remove configuration for "function" (in KeywordFilter.php and in the config schema).
Remove setting function from ::validateConfigurationForm()
Determine which function to call in ::tamper()

User interface changes

API changes

Data model changes

Other issues for this plugin:
#3184133: Warning: mb_stripos(): Empty delimiter in Drupal\tamper\Plugin\Tamper\KeywordFilter->match() (line 234 of /var/www/html/modules/tamper/src/Plugin/Tamper/KeywordFilter.php) →
#3184182: Keyword filter: place plugin in "filter" category →

🐛 Bug report

Status

Active

Version

1.0

Component

Code

Created by

🇳🇱Netherlands megachriz

Live updates comments and jobs are added and updated live.

Incomplete comments

Merge Requests

!35Keyword filter: variable executed as function, security issue?
Merged
🇳🇱Netherlands megachriz
updated 4 months ago

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Merge request !35Removed function setting and determine function upon processing. → (Merged) created by megachriz
Comment 5 months ago →
🇳🇱Netherlands megachriz
Pipeline finished with Skipped
4 months ago
#327587
Comment 4 months ago →
System Message

megachriz → committed c4e46b75 on 8.x-1.x
Issue #3184186 by megachriz: Keyword filter: removed settings 'regex'...
Comment 4 months ago →
🇳🇱Netherlands megachriz
Merged the changes!
Comment 4 months ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024