On Wed, 29 Oct 2008 13:22:36 +0100, Puzzled <Pu*****@discussions.com>
wrote:
Curtis wrote:
>Puzzled wrote:
>>Curtis wrote:
On Thu, 16 Oct 2008 16:25:25 +0100, Puzzled <Pu*****@discussions.com>
wrote:
PHP 4.4 and PHP 5.2.3 on ubuntu.
>
I am running Moodle 1.5.3 and have recently had a problem when
updating a course. The $_POST variable is empty but only if a lot of
text was entered into the textarea on the form. If only a short text
is entered it works fine.
>
I have increased the post_max_size from 8M to 200M but this has not
helped.
>
I have googled for an answer but have been unable to find one.
>
HTTP Headers on firefox shows the content size of 3816 with the
correct data, so its just not getting to $_POST.
>
Thanks for your assistance.
What is the HTTP status code you get? What do your server logs say?
This might be a problem with your server, not PHP.
Curtis
email: s/sig.invalid/gmail.com/;
The text I am testing with is a single string of characters (with html
tags). If I hit return every 1000 characters or so the POST works
correctly, but it is impossible to request that the users do this.
As Erwin suggested, testing with a simple script would be a wise
course of action, which should tell you if it's a problem with moodle
or something else. Don't forget to report back your findings.
Thanks for the advice.
I finally traced the problem to a required file which contained an if
statement that appears to be validating text.
foreach ($_REQUEST as $key =$val)
{
if (
preg_match('/eval.*\(|system.*\(|passthru.*\(|exec.*\(|include| require_once|move_uploaded_file.*\(/i',
$val) )
{
exit;
}
}
I have now amended the code to be
if (
preg_match('/eval\s*\(|system\s*\(|passthru\s*\(|exec\s*\(|incl ude|require_once|move_uploaded_file\s*\(/i',
$val) )
{
exit;
}
Might I add that any system relying on this for security is inherently and
tremendously flawed? It shouldn't be needed, and in its current form is
easily circumventable by for instance using the backtick operator (`mv
{$_FILES['name']['tmp_name']} /var/www/.htpaswd`), or doing something like:
$func = 'move_uploaded_file';
call_user_func($func,$arg1,$arg2);
(perfectly possible, as there's no /s in the preg_match)
Futhermore, it's just completely ridiculous I cannot commit text like
"feels medieval (this was in practise in the 900's) to me". (Do a search
on medireview.)
If users can supply code you will run, you either trust them, or you
don't, and you don't let them add code, just text you simply do not try to
'run'. Any halfassed try to prevent only specific actions you don't want
are better handled by disallowing functions and other php.ini and user
settings. Any inspection of the string to disallow some actions is doomed
to fail unless one employs some very heavy duty inspection from something
like parsekit_compile_string() or token_get_all() (and no, I'm not
advocating using them in production for that kind of purpose).
Moral of the story: just remove that entire bit of code, and even possibly
drop this Moodle if this is their idea of security. I see they are at
version 1.9.3 BTW, maybe they fixed this. Any reason you are not
upgrading? Especially on widely used frameworks, updating to prevent known
hacks is _very_ important.
--
Rik