View previous topic :: View next topic |
Author |
Message |
Mastershrimp Smarty Regular
Joined: 21 Dec 2009 Posts: 53
|
Posted: Mon Nov 14, 2011 6:18 pm Post subject: Suggestion: Dont use mb_split |
|
|
Hi!
Admittedly more a suggestion than a bug (but it certainly can lead to bug-like behaviour ):
Due to a weird company security policy the provider "Strato" (which is quite popular at least in Germany) decided to disable all "mb_..."-functions that are regex-related. They stated they do this for security reasons....dont know why those functions are particularly dangerous.
Anyways. As I started to rewrite my scripts I found out that Smarty uses mb_split in shared.mb_str_replace.php. This function is on their blacklist as well.
Strato states that soon other hosting companies will "most likely" also shut down the support of mb_... (at least the regex functions). I think it's ridiculous, but maybe it's better if you guys find a workaround for the use of mb_split.
Best regards |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Mon Nov 14, 2011 8:21 pm Post subject: |
|
|
Do they have an explanation why this is a security concern? |
|
Back to top |
|
rodneyrehm Administrator
Joined: 30 Mar 2007 Posts: 674 Location: Germany, border to Switzerland
|
Posted: Mon Nov 14, 2011 8:31 pm Post subject: |
|
|
Could you please provide a link to where Strato is saying MBString is dangerous? It's the first time I've heard that. And frankly, if true, this would be most unsettling, seeing that PHP is incapable of properly handling UTF-8 without the Multibyte String PECL.
Either Strato has information none of my sources seem to have, or their level of incompetence has increased since I left them a couple of years ago…
Strato FAQ on available PHP extensions lists mbstring. That page has been updated two months ago. _________________ Twitter |
|
Back to top |
|
Mastershrimp Smarty Regular
Joined: 21 Dec 2009 Posts: 53
|
Posted: Mon Nov 14, 2011 8:45 pm Post subject: |
|
|
I was quite baffled too.....last week they silently disabled mb_ereg_* on our webspace, so my boss first thought it was a bug in our system.
After some calls it turned out that they disabled it for security reasons and decided to leave it that way since there were only a few complaints.....so according to them it's kind of a a loss for the greater good since almost nobody is using it talking about incompetence...
Btw: I looked at http://www.strato-faq.de/artikel.html?sessionID=fb64b480067ec278b75038b9099de724&id=2179 and couldnt find "mb" in the list of extensions...
Edit: Could you send me the link to that list of extensions that contains multibyte? I'd like to show it to the support team |
|
Back to top |
|
tommim Smarty Rookie
Joined: 08 Jun 2011 Posts: 23
|
Posted: Mon Nov 14, 2011 10:41 pm Post subject: |
|
|
I don't think there is a current security issue with mbstring. This is the first time EVER I heard about that.
There is an issue with Reg-ex using the "e" modifier: it allows you to inject PHP-code and execute it, when you use user input in a reg-ex and don't escape it properly. But this is YOUR fault and has nothing to do with PHP and especially not with mbstring.
What I HAVE read in another forum was something different though. They said that Strato does not allow the extension to be activated in "el cheapo" low-price packages like Basic XL for commercial reasons. I heard they would want to convince you to upgrade to a more expensive package. But this is rumors too.
So far I really would like to see something official from Strato. I simply don't see how there should be an issue.
Especially: If there was a security issue with mbstring, then why don't they just upgrade to the latest version? It makes no sense to me at all.
EDIT: I checked the bug-tracker. AFAIK: there is no current bug reported for any security issue with mbstring and regex.
The only thing I found was a performance issue with the seldom used mb_ereg_replace() function when given some weird input: https://bugs.php.net/bug.php?id=53099
Now I sure hope this isn't the issue Strato was talking about because: that would be just ridiculous.
I guess what they really meant was that all ereg-functions, including ereg_replace() and split(), are deprecated as of PHP 5.3.0 and thus you should not be used anymore. preg_replace() and preg_split() should be used instead (which are Unicode-aware by themselves and thus don't have mbstring-functions). Yet this is NOT a security issue at all. |
|
Back to top |
|
Mastershrimp Smarty Regular
Joined: 21 Dec 2009 Posts: 53
|
Posted: Tue Nov 15, 2011 7:44 am Post subject: |
|
|
Hum...you sure that mbstring is deprecated by now? The documentation doesnt say anything about that...http://de.php.net/manual/en/function.mb-ereg-search.php
I perceived mbstring as the next generation of the preg_...() functions, since the former supports character sets and the latter dont. |
|
Back to top |
|
tommim Smarty Rookie
Joined: 08 Jun 2011 Posts: 23
|
Posted: Tue Nov 15, 2011 8:39 am Post subject: |
|
|
Mastershrimp wrote: | Hum...you sure that mbstring is deprecated by now? The documentation doesnt say anything about that...http://de.php.net/manual/en/function.mb-ereg-search.php
I perceived mbstring as the next generation of the preg_...() functions, since the former supports character sets and the latter dont. |
The answer is: NO! MbString is NOT deprecated. EREG is deprecated! And PCRE aka PREG is the successor of EREG - NOT MbString.
MbString has nothing to do with PCRE as the PCRE-library is UTF8-compatible already. This is why EREG was deprecated in the first place.
This all has nothing to with MbString except that the MbString functions covering the deprecated EREG functions are (of course) deprecated too.
Read the PHP manual! It's there: in Large Red Letters! |
|
Back to top |
|
Mastershrimp Smarty Regular
Joined: 21 Dec 2009 Posts: 53
|
Posted: Tue Nov 15, 2011 8:48 am Post subject: |
|
|
Ahhhh relaaaax! I misread your post. Since we were talking about mb_ereg_* the whole time I didnt realize that you started talking about the regular ereg all of a sudden.
So we are on the same page.
And you say that PCRE is already UTF8-compatible? Why did they add mbstring if PCRE is already fine? I am pretty sure that I ran into some problems with PCRE in the past.... |
|
Back to top |
|
rodneyrehm Administrator
Joined: 30 Mar 2007 Posts: 674 Location: Germany, border to Switzerland
|
Posted: Tue Nov 15, 2011 9:05 am Post subject: |
|
|
PCRE is UTF8 compatible. UTF8, UTF8, UTF8. UTF8 is an *encoding* of Unicode (being a charset). There are other encodings for that charset, UTF7, UTF16, UTF32 (LE, BE) and PCRE handles neither of them. Then there are a couple other charsets and encodings people still use (EUC-JP, JIS, …). While I guess most people of the western hemisphere are using some Latin or UTF-8, Chinese, Japanese, Cyrillic might still be used in their respective charsets.
PCRE's u modifier makes the pattern strings being treated as UTF-8. There is no way to specify any other charset/encoding. It thus not capable of handling anything but Latin and UTF-8.
The above should explain why mb_split() cannot simply be replaced by preg_split().
(On a side note… Smarty 3.1.x is fully UTF-8 compatible. It can handle other charsets, but will fail at some points, as PCRE with u-modifier are used whenever possible/necessary). _________________ Twitter |
|
Back to top |
|
Mastershrimp Smarty Regular
Joined: 21 Dec 2009 Posts: 53
|
Posted: Tue Nov 15, 2011 2:52 pm Post subject: |
|
|
Well, talked to Strato. Again. I guess they really dont have a clue what they're doing. First the guy told me they disabled it on purpose (but couldnt tell me why on earth they think there is a security issue....). Then, after he realized that the platform hasnt even been migrated in the past year, he admitted that there might be a bug on their side....so suddenly no security problem after all. But also no clear statement.
As far as I am concerned, they're a bunch of incompetent idiots
Well, I guess there is no reason removing mb_split in Smarty. I have to deal with that "special" situation somehow differently...gnaaaa |
|
Back to top |
|
Mastershrimp Smarty Regular
Joined: 21 Dec 2009 Posts: 53
|
Posted: Thu Nov 17, 2011 3:55 pm Post subject: |
|
|
Ok, they fixed it. Sorry for bothering you guys
Since you seem to be quite the experts on mbstring: What is your recommendation when it comes to regex match/search/replace? Should I use the preg-functions with parameter "u" or should I use mbstring? Assuming the character encoding is utf8, of course. |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Thu Nov 17, 2011 3:57 pm Post subject: |
|
|
Mastershrimp wrote: | Ok, they fixed it. Sorry for bothering you guys
Since you seem to be quite the experts on mbstring: What is your recommendation when it comes to regex match/search/replace? Should I use the preg-functions with parameter "u" or should I use mbstring? Assuming the character encoding is utf8, of course. |
If you just need utf8, the preg_* functions with u modifier are by far the fastest and most flexible regex (PCRE) |
|
Back to top |
|
|