Use of eval too unrestrictive

Bug #1606184 reported by Данило Шеган on 2016-07-25
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
php-gettext
Critical
Данило Шеган

Bug Description

php-gettext code that parses the plural forms header relies on eval() and only filters out some known-bad characters before passing the value from a MO file in directly to eval().

It was assumed that PO and MO files would come from trusted translators, without any attempts to potentially exploit the service being translated. While there was still no case where this has been exploited, we should move to the same parsing logic gettext C library uses:

  * http://git.savannah.gnu.org/cgit/gettext.git/tree/gettext-runtime/intl/plural-exp.c
  * http://git.savannah.gnu.org/cgit/gettext.git/tree/gettext-runtime/intl/plural-exp.h
  * http://git.savannah.gnu.org/cgit/gettext.git/tree/gettext-runtime/intl/plural.y

This has been reported by Jean-Marie Bourbon as affecting NagVis, which has since fixed it by commenting out all the plural forms code: https://github.com/NagVis/nagvis/commit/4fe8672a5aec3467da72b5852ca6d283c15adb53

Jean-Marie was also kind enough to start a CVE 2016-6175 for this issue.

CVE References

description: updated
information type: Private Security → Public Security
Michal Čihař (nijel) wrote :

Removing usage of eval() was one of reasons why we've forked php-gettext at phpMyAdmin, see https://github.com/phpmyadmin/motranslator/. It is not a drop in replacement, but can provide compatible API.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers