What risk is there to Set $STRICT = FALSE in init.inc.php ? What risk is there to Set $STRICT = FALSE in init.inc.php ?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

What risk is there to Set $STRICT = FALSE in init.inc.php ?

Started by JohnDBush, December 27, 2019, 11:49:53 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

JohnDBush

December 27, 2019, 11:49:53 AM
Hi,

Version 1.6.03

I use a custom header include which is specified in the Themes configuration setting.

Recently, I added some Geo IP Location code for logging and security monitoring so that every Album reference can be logged.   However, it didn't work because I referred to some $_SERVER variables, and all the values were NULL!!!   After poking around, I discovered that setting $STRICT=FALSE in include\init.inc.php prevents globals from being nullified.

Are there any vulnerabilities exposed by my doing that?   I don't want to adversely affect CPG security, but I can't see how my using Server variables would make the program less secure.    Was creating this "strict" mode actually cautionary proactive overkill by the development team?

Why are global variables nullified in the first place?   

Is there a supported way to allow just the variables I want to be preserved?  (eg, DOCUMENT_ROOT & REMOTE_ADDR)   

I can't hard-code REMOTE_ADDR.

Thanks for any pertinent information!

JohnDBush

#2
December 28, 2019, 10:53:16 AM
Thank you ron4mac !

I had to do a little further research, but the Inspekt cage works well.   One little "gotcha" was the requirement to redefine the $superCage object prior to referencing it from a different function.     I can access server variables fine now.   Example below (for REMOTE_ADDR), showing the prior standard variable reference commented out, followed by the current extraction from the Inspekt cage.

Code Select

// Replace $_SERVER references with caged Inspekt references:

   $superCage = Inspekt::makeSuperCage();
   
// $myIP = $_SERVER["REMOTE_ADDR"];
   $myIP = $superCage->server->getEscaped('REMOTE_ADDR');


JohnDBush

#3
December 28, 2019, 10:57:23 AM
So as a result, there is NO NEED to set  $STRICT = FALSE in include/init.inc.php, mooting my original question.

ron4mac

#4
December 28, 2019, 01:25:35 PM
John,

There is a global $superCage variable that I see little issue in using, should you choose:

Code Select
function myFunction ()
{
    global $superCage;

    $myIP = $superCage->server->getEscaped('REMOTE_ADDR');
    . . . .
}

JohnDBush

#5
December 29, 2019, 07:09:49 AM
Thank you again Ron4Mac,

Your suggestion to use the global variable reference instead of creating another copy of the object should perform better.

I appreciate your support.

-JDB
Print
Go Up Pages1
User actions