Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The discussions over http://drupal.org/node/937876 brought up the question whether we could bump to 5.2.4 and then check_plain uses 5.2.5 and 5.2.5 has two rather important PDO fixes Fixed PDO crash when driver returns empty LOB stream. , Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()).
This patch does all that can be done with 5.2.5.
Comment | File | Size | Author |
---|---|---|---|
#60 | php-524-938614-60.patch | 2.61 KB | effulgentsia |
#59 | php-524-938614-59.patch | 6.13 KB | David_Rothstein |
#52 | 524_2.patch | 6.13 KB | David_Rothstein |
#52 | interdiff-46-52.txt | 1.66 KB | David_Rothstein |
#46 | 524.patch | 5.36 KB | chx |
Comments
Comment #1
chx CreditAttribution: chx commentedw/ the stream wrapper fix.
Comment #2
webchickWell. This certainly cleans up some f'ugly code. Including some in check_plain() which is called 50,000 times on an average page load, and fixes a security problem in stream wrappers (before 5.2.4, a stream wrapper to flickr:// would not respect allow_url_fopen security setting in php.ini). According to http://www.php.net/ChangeLog-5.php#5.2.5 this release of PHP came out in November 2007, which is basically 3 years ago. According to what DamZ and chx said on IRC, there are no current distros shipping with PHP > 5.2.0 && < PHP 5.2.5.
I think it might be worth a try slipping this into the next beta release and see what kind of end-user reports come in.
Comment #3
neclimduldo it! </peer-pressure>
Comment #4
Damien Tournoud CreditAttribution: Damien Tournoud commented+1 here, obviously.
Comment #5
chx CreditAttribution: chx commentedRHEL 6 will ship with 5.3.1. RHEL 5.5 was 5.1.6. Debian Lenny is 5.2.6. Debian Etch security support stopped this February. Apple has updated Leopard to 5.2.10 in a security http://support.apple.com/kb/ht3865 update this February. Microsoft offers 5.2.14 http://www.microsoft.com/web/platform/phponwindows.aspx at this moment. OpenBSD went 5.2.5 in 4.3 and to my understanding even 4.5 has ceased to be supported http://www.openbsd.org/faq/faq5.html#Flavors .
Anyone else...?
Comment #6
Anonymous (not verified) CreditAttribution: Anonymous commentedbig +1 on bumping the required version.
small nitpick, just below this line in the patch:
we have the same sort of comparison, but with extra brackets for extra flavour:
can we make it consistent, one way or another?
Comment #7
ksenzeeParentheses are definitely the way to go there. Most people are not going to remember bitwise operator precedence.
Comment #8
chx CreditAttribution: chx commented()
Comment #9
Anonymous (not verified) CreditAttribution: Anonymous commentedalrighty, this looks good to go to me.
Comment #10
emgee3 CreditAttribution: emgee3 commentedFor Fedora and Ubuntu servers, Fedora 9 or newer or Ubuntu 8.10 or newer would work after this change. So I don't see this as too much of a problem.
Comment #11
Dries CreditAttribution: Dries commentedI'm with webchick on this. Let's try shipping this in the next beta and see what blows up. ;-)
Committed to CVS HEAD.
Comment #12
David_Rothstein CreditAttribution: David_Rothstein commentedUm, please roll this back?
Ubuntu 8.04 (server edition) is supported through the year 2013... otherwise known as the next two-and-a-half years:
https://wiki.ubuntu.com/Releases
Even the Ubuntu 8.04 desktop version (which just so happens to be running on my computer) is supported through April 2011. So right now, I cannot install Drupal 7 without rolling back this patch :)
Also, Ubuntu backports security fixes so the check_plain() issue is not a problem there despite running 5.2.4; I haven't checked the stream wrappers thing but I assume that's the case too:
http://www.ubuntu.com/usn/usn-628-1
Maybe we can get away with requiring 5.2.4 or making a special case for Ubuntu or whatever, but requiring 5.2.5 straight up is really not acceptable.
Comment #13
David_Rothstein CreditAttribution: David_Rothstein commentedBetter example than my laptop, of course: Drupal Gardens (currently hosting something like 99% of all Drupal 7 sites) also runs on Ubuntu 8.04...
So, that is a real life example of something this patch would break. We shouldn't make Drupal not be able to run on a supported version of the most popular Linux operating system :)
Comment #14
neclimdulMaybe we force greater than 5.2.4 and in requirements do a more elaborate check that errors if version < 5.2.5 && OS != debian. That or we check for functionality ala jQuery.support().
That should preserve the goal of the higher required version. Sounds so hacky though... If there's any other platforms that are going to get us in this problem we should definitely go with the later or roll this back.
Comment #15
pwolanin CreditAttribution: pwolanin commentedSadly, I think this should be fully rolled back at this point. I'd rather see us emit a runtime warning for the status page than actually block Drupal from running.
Is there a demonstrable performance improvement for the check_plain() change?
Comment #16
chx CreditAttribution: chx commentedUbuntu 10.04 LTS is already out. The patch above has dire security implications. See the other issue for more -- but yes we can run with just 5.2.0 up to the point where someone tries to install a remote stream wrapper, then bam! you are screwed.
Comment #17
effulgentsia CreditAttribution: effulgentsia commentedLooking at the timestamps of #13 and #14, and the text of #14, I don't think neclimdul intended to change the title and priority, so setting back to what they were in #13. I don't know what our decision needs to be yet, but whatever it is, I think it needs to be made before release, so "critical".
Comment #18
Damien Tournoud CreditAttribution: Damien Tournoud commentedThe fact that Ubuntu 8.04 LTS will be supported up until 2013 is completely irrelevant to the discussion.
RedHat Enterprise Linux 5 will be supported up until March 31, 2014 (end of production 3) March 31, 2017 (end of extended support). RHEL ships with PHP... 5.1.6.
All the current versions (versions N) of all the major distributions now ship with at least 5.2.5, including in their current LTS versions (including RHEL6 that should be released very soon). I see no reason not to mandate it.
Comment #19
catchThere are benchmarks on the check_plain() issue here, but I'm not sure if they contain the difference between HEAD and this patch http://drupal.org/node/523058#comment-2230974
Pretty sure the difference between having the version check or not is going to be less than 10-15% of the time spent in check_plain() now. That's nice to have if we can get it for free, but not enough to raise requirements just for that change - hence the current state of check_plain() and @todo.
If this issue is still open tomorrow I'll try to run some quick benchmarks, or there's scripts in that issue if anyone wants to do it before then.
Comment #20
Dries CreditAttribution: Dries commentedLooks like a few things broke and that we might not have to wait for a beta. Let's continue to discuss this a bit. I don't feel like there is consensus yet.
If remote streams wrappers are the problem, modules using remote stream wrappers could enforce a different PHP version, not?
And what about the security issue -- can someone describe whether that is a minor or major one? Looks like we have the same security issue in every Drupal 6 release?
Comment #21
Gerhard Killesreiter CreditAttribution: Gerhard Killesreiter commentedIt's not the problem of the Drupal project if some managers promise other managers heaven on earth.
Comment #22
catchI have one more or less personal-use server which is still running ubuntu 8.04, this because I haven't had time to update it. It has had Drupal 7 installs on it in the past for usability testing and etc., but is unlikely to get any real ones before the OS upgrade is done, however I very much doubt I'm the only person in that situation.
IMO there's a big difference between this issue, and requiring PHP 5.2+ because we wanted features plus forcing end of life quicker for previous versions.
If we can reasonably expect that no-one's running < 5.2.4, I'd go for dropping the requirement to that, and then a hook_requirements() runtime message in the status report for < 5.2.5 nudging people to upgrade (since ubuntu is the only current example, they backport security fixes anyway, and the check_plain() is only exploitable on IE6 too iirc).
Comment #23
Gerhard Killesreiter CreditAttribution: Gerhard Killesreiter commentedIf Dries wants to discuss it...
Comment #24
effulgentsia CreditAttribution: effulgentsia commentedA reminder from the OD:
I agree with catch that check_plain() alone shouldn't force us into 5.2.5 over 5.2.4. But what about these PDO issues? How do we balance those against an old(ish), but still popular Ubuntu version?
Comment #25
Damien Tournoud CreditAttribution: Damien Tournoud commentedJust to clarify: Ubuntu 8.04 is the old LTS, the current LTS being 10.04 (released in April 2010).
If you factor in that RHEL6 will be released by the end of the year, every major linux distribution (including their LTS versions) ships with at least 5.2.5. That's all that matters.
Supporting the previous LTS versions has really never been on the table. By this reasoning, we should support both RHEL5 (the distribution of choice of most "professional" hosting companies, for reasons that are definitely not technical) *and* RHEL4.
For reference:
Both "current" versions (Ubuntu 10.04 and RHEL6) ship with PHP 5.3.2.
Comment #26
LaurentAjdnik CreditAttribution: LaurentAjdnik commentedTagging
Comment #27
David_Rothstein CreditAttribution: David_Rothstein commentedFor what it's worth, Ubuntu should be identifiable from the PHP version alone (they all look like
5.2.4-2ubuntu5.xx
, I believe).Upgrading from Ubuntu 8.04 LTS to Ubuntu 10.04 LTS is not exactly trivial, for a number of reasons including the switch to PHP 5.3. I think if you look around out there, you will find a large number of people/hosts that still use Ubuntu 8.04 and have no plans to switch. If we're going to prevent those setups from using Drupal all of a sudden, we should have a very good reason for it, that's all. That reason is totally unclear from reading this thread and the other one.
I think PHP 5.1 (and Red Hat, etc) is really a special case, isn't it?
Comment #28
Gerhard Killesreiter CreditAttribution: Gerhard Killesreiter commentedThese people can continue to use Drupal 6 as they do today. This will probably be supported until at least 2012.
Comment #29
catchNo, not really. We had http://gophp5.org/, we did not have gophp5.2.5.org.
The reasons for dropping support for PHP < 5.2 are completely different to the reasons for dropping > 5.2 and < 5.2.5.
Every MySQL, PostgreSQL, sqlite and PHP requirements change has been supported by both a good reason to do so, and a survey of real world usage to some extent. We have a decent reason to change requirements here, but we don't have real-world usage data except for a couple of people's old installs + Gardens. Should be simple enough to do a poll of the major hosts via twitter or something.
Our PHP5.3 support is still very shaky, so trying to push hosts to upgrade to distro versions which default to that, and then breaking loads of D6 installs doesn't feel good to me. If we decide to go ahead with it, then we should have a better idea of how many hosts it will affect.
Do we know whether D7 is actually running into either of these during normal operation? If not I'd still go for the soft requirements check for 5.2.5.
Comment #30
chx CreditAttribution: chx commentedThis really was trigger by the remote wrapper problem. Here is the deal. Some of the direst PHP security problems in the past were from remote includes. It was not fun. So PHP has allow_url_include and allow_url_fopen ini options and anyone even remotely sane does off on the first (the second is not too important). But, user stream wrappers can register wrappers that do remote operations without being subjected to allow_url_include . There are a few things we can do:
As for the PDO bugs, my presumption is that PostgreSQL might be biten by the empty LOB stream bug. The other one, luckily, does not affect core because ATTR_DEFAULT_FETCH_MODE is not in use. By core.
To satisfy the Ubuntu hounds what about downgrading to 5.2.4 , implementing 3. documenting not to use ATTR_DEFAULT_FETCH_MODE and live happily ever after?
Edit: of course check_plain needs to be rolled back. Bummer.
Comment #31
chx CreditAttribution: chx commentedComment #32
XiaN Vizjereij CreditAttribution: XiaN Vizjereij commentedNot trying to mess with the main coders here, but which serious webhost has not updated to 5.2.5+ yet. 5.2.5 is freaking 3 years old ( according to http://www.php.net/ChangeLog-5.php#5.2.5 ). Also the current 5.2.x includes a lot of security fixes from the host's side of view.
I simply don't see the reason to why we should lower the drupal experience and performance for the mayor crowd ( like 90%+ i think ) just to maintain support for the unlucky 2% which haven't choosen a good host yet.
I could ( and most likely will ) be wrong about that, but a buffed check_plain just seems so .. juicy :)
Comment #33
chx CreditAttribution: chx commentedListen, if Ubuntu LTS is PHP 5.2.4 then they supply security patches for that. I can see the reasoning there. Not everyone wants PHP 5.3 or an unofficial PHP 5.2 or hack PHP from 8.4 into 10.4. I can understand the reasoning in staying with a distro supported PHP 5.2.4 in this case.
Comment #34
pwolanin CreditAttribution: pwolanin commentedDo we think by default stream wrappers should not be set LOCAL?
Mostly this looks good, but I think the stream wrapper part needs more thought.
Comment #35
chx CreditAttribution: chx commentedSee above why stream wrappers need to be set to remote by default: that's the secure approach. And, there will be few local wrappers anyways aside from core and hash wrapper (which I maintain so I can quickly change :P )
Comment #36
neclimdulJust as a note, we've never supported broken versions of php in the past. If the latest releases of php 5.2 on those OS's work, we should be fine with letting it run right? Should we actually check that there's a problem on ubuntu 8.04 before jumping?
Comment #37
XiaN Vizjereij CreditAttribution: XiaN Vizjereij commentedAnd debian uses 5.2.6 per default, so? First ubuntu is not the #1 linux server distro. Second we should compare between the "theoretical" and "practical" used php version. Being in an LTS does not mean, users actually use the purposed version.
I'm running drupal sites on more than 12 hosts over the world and not ONE of them uses a version below 5.2.10. Most of them use debian as os and only 2 use ubuntu lts. So i see the reasoning behind your point chx, but it seems away from/not valid for the productive world.
Comment #38
hgurol CreditAttribution: hgurol commentedWhy not just release a beta with 5.2.5 requirement and listen to for the incoming feedback, as it is previously mentioned?
Comment #39
chx CreditAttribution: chx commentedBecause feedback already arrived: people with Ubuntu Long Term Support servers that want to continue serving Drupal 6 will not update to Ubuntu 10.4 because that comes with PHP 5.3. Guys, there is no debating this point, we need to downgrade to 5.2.4, the question is only whether my proposal / patch to fight problems with remote wrappers is OK.
Comment #40
neclimdulJust to be clear, I was agreeing we need to at least lower the requirement to 5.2.4. My question was whether the rest needed to be rolled back or if that was fixed in 8.04 with the patches listed #12. It sounded like Dave was saying check_plain is fine as is.
Comment #41
chx CreditAttribution: chx commented@neclimdul the rest needs not to be rolled back, the STREAM_IS_URL functionality was introduced in 5.2.4. Whether we can make a special case, I dunno, we might do a PHP requirement at 5.2.4 and a test in install.php for check_plain working? Is that worth the bothering? I doubt and will certainly give people with just PHP 5.2.4 (are there any??) a headache.
Comment #42
neclimdulThe argument has been that there are a lot but I'm betting most larger shops looking to update D7 will be more likely to be looking at 10.04 LTS as well if not new hardware. That and php 5.3 support will almost certainly be less an issue in D7 as it was/is in D6. Really its not important though, supporting 8.04 LTS is not an unreasonable request.
The size of the population we're serving aside. It seemed like a nice bonus to use the simpler check_plain that David_Rothstein said wasn't an issue on 8.04 LTS. If you don't think its an issue, I don't have the time to benchmark/test to argue against it but it seemed like if there where people interested in testing, it could be worth while.
Basically, is it worth bothering? Maybe. If someone doesn't step up soon though, lets go with #31.
Comment #43
mstrelan CreditAttribution: mstrelan commentedHad no idea what this issue was about until reading a few of the comments.
Comment #44
chx CreditAttribution: chx commentedHere is the bothering version, verified.
Comment #46
chx CreditAttribution: chx commentedOK, OK.
Comment #47
effulgentsia CreditAttribution: effulgentsia commented+1 to #46, but if we're gonna do it in one patch, let's title the issue accordingly and add the necessary tags. It's really two separate issues, and if people want it separated, let's do that, but considering the combined patch is small, I think it's okay to combine.
Comment #48
David_Rothstein CreditAttribution: David_Rothstein commentedThanks, chx. That code looks pretty good to me, and the "experimental" approach to the htmlspecialchars() thing seems reasonable. I have not reviewed the specific nature of that check but from the command line test I assume it is correct. (This could also be a separate issue, since putting the code back in check_plain would really not be the end of the world, but I agree it is an improvement.)
Important note, though: Because Ubuntu 8.04 has
5.2.4-2ubuntu5.xx
, the version_compare() actually always returns 1 for me, so the htmlspecialchars() check does not actually run - in other words, we are assuming here that anyone with a version labeled 5.2.4-[whatever] is automatically secure, which might not be the case at all. (For example, if you have Ubuntu 8.04 but have not been keeping up with security updates, we should reject you.) Therefore, it might be better to do a second version_compare() against 5.2.5 and run the htmlspecialchars() check for anyone who does not meet that (or even just run it for everyone to keep things simple).I'd also consider a minor rewording of the error message, instead of:
maybe:
The comma and explicit mention of "PHP" make it easier to read. (I was also going to say "htmlspecialchars security patch" could link somewhere, but after looking around I'm not sure of a great place, so forget it.)
****
Overall, after reading some of the above comments, I'm going to amend my position:
Instead of saying "we should always make Drupal run on supported versions of Linux", how about we say we strive to always make it run on them unless there is a good reason not to...
And in this case, two PDO bugs that don't have a known effect on Drupal yet plus some code cleanup of check_plain() do not constitute a good reason :)
So I think we are making the right decision with this followup patch. Let's be friendly to other open source projects (and people who use them) when we can. LTS releases are an important thing for anyone who values stability, and also especially for less-technical people who just want to hit the "Update" button and know their server will work and run Drupal 7, not have to hunt around for out-of-distro PHP versions and install it themselves.
Comment #49
David_Rothstein CreditAttribution: David_Rothstein commentedActually, I guess this is definitely "needs work", for the second paragraph of #48. Otherwise, anyone who runs
5.2.4-something
but without the security patch will still be able to install and will wind up with an insecure Drupal site.Comment #50
chx CreditAttribution: chx commentedDavid, please RTBC #31 if you like that more.
Comment #51
SqyD CreditAttribution: SqyD commentedSome feedback on the PHP version requirement:
As a system administrator that is forced to use Red Hat I'm constantly faced with specific php versions requested by both drupal and non-drupal devs all the time. The 5.1.6 version included in RHEL 5.x is too old for most projects and at least two dev shops have indicated that the 5.3.1 in RHEL 6.x will be "too new" and they've requested a 5.2.x version for the time being. In the end I will be installing PHP from 3rd party repo's for the foreseeable future anyway. I don't see a need to compromise on this just to "support" any specific Linux distro version, especially the ones with longer lifetimes.
Comment #52
David_Rothstein CreditAttribution: David_Rothstein commented#31 looks fine to me in terms of fixing the critical. I am not 100% comfortable RTBC-ing it because it sounds like the stream wrapper issue needs a little more discussion (it is an API change after all). But it seems to make sense as a security hardening thing.
Anyway, I do think #46 is better overall, just needs the small change I mentioned so we make sure we never let anyone use an insecure version of 5.2.4. Here it is with that.
Comment #53
catchextra space.
Agreed the stream wrappers change needs some more discussion, the 5.2.4 check looks good to me in principle, much nicer to have that check there than in check_plain() itself.
Comment #54
neclimdulThis sounds more like a bug with our version checking than something we need to special case.
That said, I was going to be really against the special case check until I started explaining my position. Then I realized its probably the right thing anyways since it is a special case. It would theoretically lets us move the required version constant if needed. Hopefully that wont happen again though...
Comment #55
neclimdulBTW, that's a +1 to the version stuff in #52 and I agree with #53. Did we get 2 issues tangled up here?
Comment #56
chx CreditAttribution: chx commentedTangled up a little but not much. The whole version dance is pointless if we do not security harden that's why I rolled here. Agreed with #52 / # 53. So what do we think of wrappers?
Comment #57
effulgentsia CreditAttribution: effulgentsia commentedYes. See #30 for details. But they are related. This issue initially was about increasing the PHP requirement from 5.2.0 to 5.2.5 in order to harden D7 security. Since D6 did not use stream wrappers, and D7 does, it is D7's job to security harden their use, and this is only possible as of 5.2.4, since that's where stream_wrapper_register() supports a $flags parameter for identifying a stream wrapper as remote so that it respect the
allow_url_include
php.ini setting. This was committed in #11, but requires two follow-ups:1) Now that we've hardened remote stream wrappers, chx wants to harden even further by making that the default, requiring developers who create stream wrappers to explicitly opt-in to being LOCAL, and therefore, more trusted. As per #34 and other comments, people want more time to think this through.
2) Lower the requirement from 5.2.5 to 5.2.4, since that's all that's really needed for stream wrapper hardening.
We could do these as separate follow-ups, but perhaps it makes sense to leave them combined for another day or so, and only separate them if #1 gets bogged down, but we want to move quickly on #2.
Comment #58
chx CreditAttribution: chx commentedI doubt there is a rush -- only the next beta needs this fixed.
Comment #59
David_Rothstein CreditAttribution: David_Rothstein commentedRerolled to remove the extra space (per #53).
Comment #60
effulgentsia CreditAttribution: effulgentsia commentedThis issue isn't getting adequately reviewed, so splitting off the stream wrapper portion in #942690: Security harden stream wrappers by defaulting them as remote. This patch just contains the code to lower the required version. Relative to #59, I added a sentence to the code comment.
Comment #61
chx CreditAttribution: chx commentedSure but once this is in, I will critical the other as it's a security issue.
Comment #62
Damien Tournoud CreditAttribution: Damien Tournoud commentedNote that Drupal on PostgreSQL requires 5.2.11 *already*. This is enforced in PostgreSQL's
install.inc
.Comment #63
effulgentsia CreditAttribution: effulgentsia commentedJust for clarification, #62 is a reply to #30, where chx was concerned that one of the two PDO bugs existing in 5.2.4 but fixed in 5.2.5, would bite people on PostgreSQL. #62 means we don't have to worry about that being a problem if we commit #60. The other PDO bug mentioned in the OD is documented in #60. So I think we're good to go here.
Comment #64
int CreditAttribution: int commentedCommited #436582 by webchick
Abort abort\! Back to 5.2.4.
Comment #65
jrchamp CreditAttribution: jrchamp commentedNow that 5.2.4 is the minimum, would it not also make sense to remove the function_exists('sys_get_temp_dir') check from file_directory_temp() ?
Comment #66
webchickNo. We tried that before and it caused problems on Mac OSX. See http://drupal.org/node/551658#comment-2919160 and below.