forum.coppermine-gallery.net

Support => cpg1.6.x Support => cpg1.6 permissions => Topic started by: JohnDBush on December 27, 2019, 11:49:53 am

Title: What risk is there to Set $STRICT = FALSE in init.inc.php ?
Post by: JohnDBush on December 27, 2019, 11:49:53 am
Hi,

Version 1.6.03

I use a custom header include which is specified in the Themes configuration setting.

Recently, I added some Geo IP Location code for logging and security monitoring so that every Album reference can be logged.   However, it didn't work because I referred to some $_SERVER variables, and all the values were NULL!!!   After poking around, I discovered that setting $STRICT=FALSE in include\init.inc.php prevents globals from being nullified.

Are there any vulnerabilities exposed by my doing that?   I don't want to adversely affect CPG security, but I can't see how my using Server variables would make the program less secure.    Was creating this "strict" mode actually cautionary proactive overkill by the development team?

Why are global variables nullified in the first place?   

Is there a supported way to allow just the variables I want to be preserved?  (eg, DOCUMENT_ROOT & REMOTE_ADDR)   

I can't hard-code REMOTE_ADDR.

Thanks for any pertinent information!

Title: Re: What risk is there to Set $STRICT = FALSE in init.inc.php ?
Post by: ron4mac on December 27, 2019, 01:34:29 pm
Use $superCage to access SUPER GLOBALS.
https://coppermine-gallery.net/docs/curr/en/dev_superglobals.htm
Title: Re: What risk is there to Set $STRICT = FALSE in init.inc.php ?
Post by: JohnDBush on December 28, 2019, 10:53:16 am
Thank you ron4mac !

I had to do a little further research, but the Inspekt cage works well.   One little "gotcha" was the requirement to redefine the $superCage object prior to referencing it from a different function.     I can access server variables fine now.   Example below (for REMOTE_ADDR), showing the prior standard variable reference commented out, followed by the current extraction from the Inspekt cage.

Code: [Select]
// Replace $_SERVER references with caged Inspekt references:

   $superCage = Inspekt::makeSuperCage();
   
// $myIP = $_SERVER["REMOTE_ADDR"];
   $myIP = $superCage->server->getEscaped('REMOTE_ADDR');

Title: Re: What risk is there to Set $STRICT = FALSE in init.inc.php ?
Post by: JohnDBush on December 28, 2019, 10:57:23 am
So as a result, there is NO NEED to set  $STRICT = FALSE in include/init.inc.php, mooting my original question.
Title: Re: What risk is there to Set $STRICT = FALSE in init.inc.php ?
Post by: ron4mac on December 28, 2019, 01:25:35 pm
John,

There is a global $superCage variable that I see little issue in using, should you choose:

Code: [Select]
function myFunction ()
{
    global $superCage;

    $myIP = $superCage->server->getEscaped('REMOTE_ADDR');
    . . . .
}
Title: Re: What risk is there to Set $STRICT = FALSE in init.inc.php ?
Post by: JohnDBush on December 29, 2019, 07:09:49 am
Thank you again Ron4Mac,

Your suggestion to use the global variable reference instead of creating another copy of the object should perform better.

I appreciate your support.

-JDB