Wherever we drop .htaccess stopping PHP running we can drop this file as well, use it in <img src="tricky.php">. 'Cos the result of this trickery is such a file that will produce the same valid PNG if PHP runs and if it doesn't but it will also drop a drupaltest file in the system temporary directory.

php -r 'file_put_contents("x.png", base64_decode("iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg=="));'
pngcrush -force -text b comment '<?php header("Content-type: image/png"); file_put_contents(sys_get_temp_dir(). "/drupaltest", ""); print(substr(file_get_contents(__FILE__), 49)); exit; // '  x.png tricky.php 
rm x.png
CommentFileSizeAuthor
#1 tricky.zip388 byteschx

Comments

chx’s picture

chx commented
StatusFileSize
new tricky.zip388 bytes

I have attached the result, in a zip file to make 100% sure it won't be corrupted when downloaded.

grendzy’s picture

grendzy commented

This is a really cool idea. I did find two problems:

  • An outside observer can tell if the script has executed by examining the content-type header. (it will either be application/x-httpd-php or image/png).
  • It works on Centos 5.6 / PHP 5.3.3, but for some strange reason it only outputs "?" on OS X 10.6.6 / PHP 5.3.3. Could be a fluke though, maybe my php is busted.

Edit - tested on a second Mac, 10.6.7 / PHP 5.3.4, and it produces the same "?" output. Works fine with 5.2.14 compiled via MacPorts.

chx’s picture

chx commented

I do not care too much about outside observers -- this will be an image on the install / status report screen. You mean it could be used as a probe before an attack? We can always write it out to disk just before we omit the image and then delete it later. I presume the page using this image will need to reload itself to check whether the image ran or not and that's when you can delete it.

Let's investigate more of that OS X problem.

cashwilliams’s picture

cashwilliams commented

Subscribe.

I'm running OSX and will start investigating too.

chx’s picture

chx commented

Also, i can happily change header("Content-type: image/png"); to header("Content-type: application/x-httpd-php"); . Your move :)

grendzy’s picture

grendzy commented

Even if the MIME type is changed, I don't think it will be possible to get all the headers to match exactly. Also there's no IANA standard type for PHP, so it can vary across different servers.

Unless we're willing to advertise sites that have this configuration flaw, I think it's best to prevent the test file from being observed. And I hate to be a buzzkill, but if the file isn't observable there may not be a need for the tricky polyquine. Something simple like print strrev('!regnad'); (fetched via drupal_http_request, or maybe XHR) might be just as effective.

Safe Vulnerable
HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 15:43:40 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/1.0.0d DAV/2 PHP/5.2.14
Last-Modified: Fri, 24 Jun 2011 15:43:00 GMT
ETag: "1449857-f4-4a6770e6a2900"
Accept-Ranges: bytes
Content-Length: 244
Connection: close
Content-Type: application/x-httpd-php 		HTTP/1.1 200 OK
Date: Fri, 24 Jun 2011 15:43:15 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/1.0.0d DAV/2 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 244
Connection: close
Content-Type: image/png
chx’s picture

chx commented

drupal_http_request does not work. We tried and we have learned the bitter lesson you can't HTTP request yourself. XHR might work. But an image is the simplest and surest way and since it exists, why not?

Once again: if you have trouble with the file existing then the installer can write it out at the same time as settings.php -- there we have a writeable dir which can execute php.

chx’s picture

chx commented
Assigned: chx » Unassigned
Issue summary: View changes

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

smustgrave’s picture

smustgrave commented
Status: Active » Postponed (maintainer needs more info)
Issue tags: +stale-issue-cleanup

Thank you for sharing your idea for improving Drupal.

We are working to decide if this proposal meets the Criteria for evaluating proposed changes. There hasn't been any discussion here for over 8 years which suggests that this has either been implemented or there is no community support. Your thoughts on this will allow a decision to be made.

Since we need more information to move forward with this issue, the status is now Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

Thanks!

smustgrave’s picture

smustgrave commented

wanted to bump 1 more time.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.