Smarty

[Mastershrimp]

Hi!

Admittedly more a suggestion than a bug (but it certainly can lead to bug-like behaviour ):

Due to a weird company security policy the provider "Strato" (which is quite popular at least in Germany) decided to disable all "mb_..."-functions that are regex-related. They stated they do this for security reasons....dont know why those functions are particularly dangerous.

Anyways. As I started to rewrite my scripts I found out that Smarty uses mb_split in shared.mb_str_replace.php. This function is on their blacklist as well.

Strato states that soon other hosting companies will "most likely" also shut down the support of mb_... (at least the regex functions). I think it's ridiculous, but maybe it's better if you guys find a workaround for the use of mb_split.


Best regards

[mohrt]

Do they have an explanation why this is a security concern?

[rodneyrehm]

Could you please provide a link to where Strato is saying MBString is dangerous? It's the first time I've heard that. And frankly, if true, this would be most unsettling, seeing that PHP is incapable of properly handling UTF-8 without the Multibyte String PECL.

Either Strato has information none of my sources seem to have, or their level of incompetence has increased since I left them a couple of years ago…

Strato FAQ on available PHP extensions lists mbstring. That page has been updated two months ago.
_________________
Twitter

[Mastershrimp]

I was quite baffled too.....last week they silently disabled mb_ereg_* on our webspace, so my boss first thought it was a bug in our system.

After some calls it turned out that they disabled it for security reasons and decided to leave it that way since there were only a few complaints.....so according to them it's kind of a a loss for the greater good since almost nobody is using it talking about incompetence...

Btw: I looked at http://www.strato-faq.de/artikel.html?sessionID=fb64b480067ec278b75038b9099de724&id=2179 and couldnt find "mb" in the list of extensions...


Edit: Could you send me the link to that list of extensions that contains multibyte? I'd like to show it to the support team

[tommim]

I don't think there is a current security issue with mbstring. This is the first time EVER I heard about that.

There is an issue with Reg-ex using the "e" modifier: it allows you to inject PHP-code and execute it, when you use user input in a reg-ex and don't escape it properly. But this is YOUR fault and has nothing to do with PHP and especially not with mbstring.

What I HAVE read in another forum was something different though. They said that Strato does not allow the extension to be activated in "el cheapo" low-price packages like Basic XL for commercial reasons. I heard they would want to convince you to upgrade to a more expensive package. But this is rumors too.

So far I really would like to see something official from Strato. I simply don't see how there should be an issue.
Especially: If there was a security issue with mbstring, then why don't they just upgrade to the latest version? It makes no sense to me at all.

EDIT: I checked the bug-tracker. AFAIK: there is no current bug reported for any security issue with mbstring and regex.
The only thing I found was a performance issue with the seldom used mb_ereg_replace() function when given some weird input: https://bugs.php.net/bug.php?id=53099

Now I sure hope this isn't the issue Strato was talking about because: that would be just ridiculous.

I guess what they really meant was that all ereg-functions, including ereg_replace() and split(), are deprecated as of PHP 5.3.0 and thus you should not be used anymore. preg_replace() and preg_split() should be used instead (which are Unicode-aware by themselves and thus don't have mbstring-functions). Yet this is NOT a security issue at all.

[Mastershrimp]

Hum...you sure that mbstring is deprecated by now? The documentation doesnt say anything about that...http://de.php.net/manual/en/function.mb-ereg-search.php

I perceived mbstring as the next generation of the preg_...() functions, since the former supports character sets and the latter dont.

[tommim]

[Mastershrimp]

Ahhhh relaaaax! I misread your post. Since we were talking about mb_ereg_* the whole time I didnt realize that you started talking about the regular ereg all of a sudden.

So we are on the same page.

And you say that PCRE is already UTF8-compatible? Why did they add mbstring if PCRE is already fine? I am pretty sure that I ran into some problems with PCRE in the past....

[rodneyrehm]

PCRE is UTF8 compatible. UTF8, UTF8, UTF8. UTF8 is an *encoding* of Unicode (being a charset). There are other encodings for that charset, UTF7, UTF16, UTF32 (LE, BE) and PCRE handles neither of them. Then there are a couple other charsets and encodings people still use (EUC-JP, JIS, …). While I guess most people of the western hemisphere are using some Latin or UTF-8, Chinese, Japanese, Cyrillic might still be used in their respective charsets.

PCRE's u modifier makes the pattern strings being treated as UTF-8. There is no way to specify any other charset/encoding. It thus not capable of handling anything but Latin and UTF-8.

The above should explain why mb_split() cannot simply be replaced by preg_split().

(On a side note… Smarty 3.1.x is fully UTF-8 compatible. It can handle other charsets, but will fail at some points, as PCRE with u-modifier are used whenever possible/necessary).
_________________
Twitter

[Mastershrimp]

Well, talked to Strato. Again. I guess they really dont have a clue what they're doing. First the guy told me they disabled it on purpose (but couldnt tell me why on earth they think there is a security issue....). Then, after he realized that the platform hasnt even been migrated in the past year, he admitted that there might be a bug on their side....so suddenly no security problem after all. But also no clear statement.

As far as I am concerned, they're a bunch of incompetent idiots

Well, I guess there is no reason removing mb_split in Smarty. I have to deal with that "special" situation somehow differently...gnaaaa

[Mastershrimp]

Ok, they fixed it. Sorry for bothering you guys

Since you seem to be quite the experts on mbstring: What is your recommendation when it comes to regex match/search/replace? Should I use the preg-functions with parameter "u" or should I use mbstring? Assuming the character encoding is utf8, of course.

[mohrt]