Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: What risk is there to Set $STRICT = FALSE in init.inc.php ?  (Read 5925 times)

0 Members and 1 Guest are viewing this topic.

JohnDBush

  • Coppermine newbie
  • Offline Offline
  • Posts: 11
What risk is there to Set $STRICT = FALSE in init.inc.php ?
« on: December 27, 2019, 11:49:53 am »

Hi,

Version 1.6.03

I use a custom header include which is specified in the Themes configuration setting.

Recently, I added some Geo IP Location code for logging and security monitoring so that every Album reference can be logged.   However, it didn't work because I referred to some $_SERVER variables, and all the values were NULL!!!   After poking around, I discovered that setting $STRICT=FALSE in include\init.inc.php prevents globals from being nullified.

Are there any vulnerabilities exposed by my doing that?   I don't want to adversely affect CPG security, but I can't see how my using Server variables would make the program less secure.    Was creating this "strict" mode actually cautionary proactive overkill by the development team?

Why are global variables nullified in the first place?   

Is there a supported way to allow just the variables I want to be preserved?  (eg, DOCUMENT_ROOT & REMOTE_ADDR)   

I can't hard-code REMOTE_ADDR.

Thanks for any pertinent information!

Logged

ron4mac

  • Administrator
  • Coppermine addict
  • *****
  • Country: us
  • Offline Offline
  • Posts: 2026
Re: What risk is there to Set $STRICT = FALSE in init.inc.php ?
« Reply #1 on: December 27, 2019, 01:34:29 pm »

Logged

JohnDBush

  • Coppermine newbie
  • Offline Offline
  • Posts: 11
Re: What risk is there to Set $STRICT = FALSE in init.inc.php ?
« Reply #2 on: December 28, 2019, 10:53:16 am »

Thank you ron4mac !

I had to do a little further research, but the Inspekt cage works well.   One little "gotcha" was the requirement to redefine the $superCage object prior to referencing it from a different function.     I can access server variables fine now.   Example below (for REMOTE_ADDR), showing the prior standard variable reference commented out, followed by the current extraction from the Inspekt cage.

Code: [Select]
// Replace $_SERVER references with caged Inspekt references:

   $superCage = Inspekt::makeSuperCage();
   
// $myIP = $_SERVER["REMOTE_ADDR"];
   $myIP = $superCage->server->getEscaped('REMOTE_ADDR');

Logged

JohnDBush

  • Coppermine newbie
  • Offline Offline
  • Posts: 11
Re: What risk is there to Set $STRICT = FALSE in init.inc.php ?
« Reply #3 on: December 28, 2019, 10:57:23 am »

So as a result, there is NO NEED to set  $STRICT = FALSE in include/init.inc.php, mooting my original question.
Logged

ron4mac

  • Administrator
  • Coppermine addict
  • *****
  • Country: us
  • Offline Offline
  • Posts: 2026
Re: What risk is there to Set $STRICT = FALSE in init.inc.php ?
« Reply #4 on: December 28, 2019, 01:25:35 pm »

John,

There is a global $superCage variable that I see little issue in using, should you choose:

Code: [Select]
function myFunction ()
{
    global $superCage;

    $myIP = $superCage->server->getEscaped('REMOTE_ADDR');
    . . . .
}
Logged

JohnDBush

  • Coppermine newbie
  • Offline Offline
  • Posts: 11
Re: What risk is there to Set $STRICT = FALSE in init.inc.php ?
« Reply #5 on: December 29, 2019, 07:09:49 am »

Thank you again Ron4Mac,

Your suggestion to use the global variable reference instead of creating another copy of the object should perform better.

I appreciate your support.

-JDB
Logged
Pages: [1]   Go Up
 

Page created in 0.016 seconds with 20 queries.