PHP Leaks - Sharing Something Extra: June 2010

Freelancing and Copyright — An Uncomfortable Arrangement

When Congress last amended copyright law in 1976, they added a clause that causes problems for freelance artists, writers, and designers. Basically, the law gave copyright ownership to the ”author” of a creative work as long as it was not a ”work made for hire,” in which case the copyright belonged to the organization for whom the project was executed.

Corporations such as publishers of newspapers and magazines went to court to protect their rights to withhold royalties from freelancers under an argument that the work was done “for hire” and not that the author loaned the work for publication; and these battles are still being waged.

In 1989, one of these court battles made it all the way to the Supreme Court who ruled in favor of freelance artists on commission. This is a huge win since it stated that freelance artists in most instances can keep the benefits of copyright, which include licensing and reproduction rights and protection against unauthorized copying. The decision also poses practical problems for businesses that rely heavily on freelance work.

What is a Copyright?

When you post the following statement:
Copyright © year Your Company Name. All rights reserved.
… you are stating that you own all the rights and privileges to your work, period. You are protecting yourself from anyone who tries to “make and sell copies of the work, publicly show the work, import or export the work and assign these rights to others.” Notice that you are protecting your work, but not the ideas behind the work.
The following types of work are protected by copyright.

Original literary works (novels, instruction manuals, computer programs, lyrics for songs, articles in newspapers, some types of databases, but not names or titles)
Original dramatic works, including works of dance or mime
Original musical works
Original artistic works, e.g. paintings, engravings, photographs, sculptures, collages, works of architecture, technical drawings, diagrams, maps, logos
Published editions of works, i.e. the typographical arrangement of a publication
Sound recordings, which may be recordings on any medium, e.g. tape or compact disc, and may be recordings of other copyright works, e.g. musical or literary
Films, including videos
Broadcasts.

The moment you commit a creative endeavor to paper or web, CD or computer file, it is copyrighted. The mark shown above is a warning to your viewers that the work is protected.
Copyright law provides a limited use clause called “fair use.” This is a loophole through which free libraries, educators, universities, commentators, bloggers, critics, and journalists may quote with proper attribution, from a copyrighted work. The definition of what exactly constitutes fair use is a murky topic that is still being debated in courts.

source : Freelancer

Creating Variables from Array Keys in PHP (with more control)

This function is a little more enhanced version of my previous post on the same topic. In this function, what extra you can de is define the default value in the variables array in case of non existance of variable in the parent array. Previously the default value was NULL.

function better_array_to_variables( $array = array() , $variable_list = array() )
{
 if( empty( $array ) OR empty( $variable_list ) )
 {
  return false;
 }
 
 if( !is_array( $variable_list ) OR !is_array( $array ) )
 {
  return false;
 }
 
 if( !count( $variable_list ) OR !count( $array ) )
 {
  return false;
 }
 
 foreach( $variable_list as $key => $value )
 {
  if( !ctype_digit( ( string ) $key ) )
  {
   $name  = $key;
   $default = $value;
  }
  else
  {
   $name  = $value;
   $default = NULL;
  }
  
  if( preg_match( "/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/" , $name ) )
  {
   GLOBAL $$name;
   if( isset( $array[$name] ) )
   {
    $$name = $array[$name];
   }
   else
   {
    $$name = $default;
   }
  }
 }
}

better_array_to_variables( array( 'hamdusa' => '1' , 'Adlusa' => '2'  ) , array( 'hamdusa' , 'adlusa' => false , 'mudassar' => 'inexists' ) );

var_dump( $hamdusa );
var_dump( $adlusa );
var_dump( $mudassar );

Creating Variables from Array Keys in PHP

If you want to convert associative arrays in variables automatically, you can use the following script. It requires an array from which to extract the variables, and an array of variable names that you want to extract.

Here is the script:

<?php
function array_to_variables( $array = null , $variable_list = array() )
{
 if( $array === null )
 {
  $array = $_GET;
 }
 
 if( !is_array( $variable_list ) )
 {
  $variable_list = explode( ',' , $variable_list );
 }
 
 if( !count( $variable_list ) )
 {
  $variable_list = array_keys( $array );
 }
 
 foreach( $variable_list as $variable_name )
 {
  $variable_name = trim( $variable_name );
  if( preg_match( "/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/" , $variable_name ) )
  {
   GLOBAL $$variable_name;
   if( isset( $array[$variable_name] ) )
   {
    $$variable_name = $array[$variable_name];
   }
   else
   {
    $$variable_name = null;
   }
  }
 }
}?>

And here is how to use it;

<?php
//Example 1
array_to_variables( $_GET , array( 'image_id' , 'session_id' ) );
//Example 2
array_to_variables(  );
?>

In the example 1, it will try to create variables $image_id and $session_id and look for the value in the $_GET array. If the array keys in $_GET array exist with the name 'image_id' and 'session_id', same variables are created successfully. In case of failure it creates variables and saves NULL in those variables.

I second Example, the default array $_GET is taken and it tried to create a variable for every valid associative key. Valid here means an associative key that can be used as variable name.

Hope this is helpful function for you all. Sorry for poor documentation.

PHP Constants can make your application insecure

PHP constants work in a strange way to make the language more programmer friendly. When you use a constant inside your script, and by any chance that constant is not defined before its use, php issues a Notice. Example:

<?php
echo MY_CONST;
//MY_CONST is not already defined;
?>

The output is

<br />
<b>Notice</b>: Use of undefined constant MY_CONST - assumed 'MY_CONST' in <b>/path/to/file.ext
</b> on line <b>13</b><br />MY_CONST

Notice the emboldened My_CONST that is not part of the Notice. What php did is first tried to get the value of constant MY_CONST but when it found that no constant of this name was ever defined, it issued a Notice and then used MY_CONST as a string 'MY_CONST'. At next step the same string is outputted to the browser.

When you are running your site on production server with error reporting disabled, php will simply echo the name of constant (as it did in above example) and no error Notice will be displayed to you at all. Here lies vulnerability.

It is common in many applications that when the script successfully determines the status of the user (loggedin/not-loggedin), the status is saved in a constant. See the following example:

<?php

function authentication()
{
     //Some Authentication Stuff
     //IF Successful
     define('USER_LOGGED_IN' , true );
}

function is_login()
{
     return USER_LOGGED_IN;
}

if( is_login() )
{
     include('/private_stuff');
}

authentication();

if( is_login() )
{
     //allow private access
}

if( is_login() )
{
     //SHOW Tools
}

if( is_login() )
{
     //Show username
}

?>

There are two problems in this script. First:
If the authentication is successful and USER_LOGGED_IN is set to true, everything will go fine. Call to function is_login() will happily return true and if( is_login() ) results in success. But when the authentication is failed the authentication() function has not enough explanation of what to do in case of failure. USER_LOGGED_IN constant is not defined in case of failure, and whenever is_login() is called it will behave strangely (as explaned at the top of this post) and will return a string 'USER_LOGGED_IN'. Strings other than empty ("") or "0" are true in php, so the if( is_login() ) results in if( 'USER_LOGGED_IN' ) which still results in a success. So whether or not a user is logged in, it will get access to private contents.

Second: The if condition used before the call to authentication() function, still results in success even the authentication is not yet done (this is because of the same problem as in the first case).

A simple solution to these problems may be:

<?php

authentication();

function authentication()
{
     //Some Authentication Stuff
     //IF Successful
     define('USER_LOGGED_IN' , true );
     
     //IF Not Successful
     define('USER_LOGGED_IN' , false );
}

function is_login()
{
     if( !defined( 'USER_LOGGED_IN' ) )
          authentication();
     //The above call will probabily never happen unless you forgot it elsewhere
     return USER_LOGGED_IN;
}

if( is_login() )
{
     include('/private_stuff');
}

if( is_login() )
{
     //allow private access
}

if( is_login() )
{
     //SHOW Tools
}

if( is_login() )
{
     //Show username
}

?>

No doubt there were bugs in this script, but this problem may also occur in many other cases like misspelling constants, or not defining constant at all when you think it already has been defined in some other included file. When you misspell a constant and you have error reporting disables, you hardly get any clue where the problem lies unless you use a good php editor (like in Notepad++ highlighting a word highlights all instances of the same word. This makes finding spelling mistakes easy).

Also in this case, you have to take extra care to ensure that whenever the function is_login() is called, the authentication process is already completed, or in other words you have to authenticate at the top of your script.

May be no one developing a secure application is this much stupid to make an application where an insecurity exists at such basic level. But errors and oversights do occur. Also the the scenario may be different. You might think that a constant is defined in some other file but may be that file is not included at all or the constant is not be defined as expected or not defined at all.

When you check you application under the development environment, the possibilities are limited. No matter how thoroughly you test your application, it is always possible that something unexpected occur. The parameters that you work with may work fine for you under testing environment, but when your application is open for public, it may start behaving unexpectedly.

I recommend using Variables and Arrays unless you really want/need to use constants, for example: keeping settings in constants that you never want any one else to change through out the running of the script.

Why Last-modified when you already have Expires and Cache-control headers?

(These are rough notes. Do not take it as complete article.)
Last-modified header, as the name suggest, is useful when you want browser to ask the resource only if the contents have changes since the time provided in Last-Modified header. Similar results can be achieved using Expires and cache-control headers with a plus that if you set expire time, browser will not ask the server until the expiration of the terms specified in the headers. This will save a request that results in 304 Not Modified response, but there is a practicle case where using last-modified header along with cache-control or expires headers provide better performance.

When you refresh a page (using F5, or browsers' refresh button) the browser sends a request to the server no matter whether you have told it to keep the page in cache (using Expires or cache-control headers). The same happens to the inline elements (images, style sheets, scripts etc). So, refreshing the page by pressing F5 or browser refresh button could bypass the normal caching techniques. Now if you sent last-modified header with your response last time, the browser will send if-modified-since header along with the request. This can help you save bandwidth by determining whether the contents are modified. You can easily return 304 Not Modified if you think it appropriate. This way you can still make your web application perform better and save your bandwidth even when other caching techniques fail.

Preventing Cross Site Request Forgery (CSRF)

Details are here: http://en.wikipedia.org/wiki/Cross-site_request_forgery

My Suggestions:
1. Always check HTTP referer before form submissions. Is the REFERER same as expected? It is fine if there is no referer value available.
2. Do not allow sensitive actions without using tokens in the URLs. And tokens must be authenticated, ie user specific and no one else can use it. Tokens must change on each sensitive request. This will prevent CSRF by using "URL to sensitive action" as a src of image.