acmoore wrote on Wednesday, April 14, 2010:

Hi openemr developers -

Thanks for such a useful piece of software.

I’ve been looking at making some modifications to the installer to help me install it in my environment, and I noticed the use of extract() on the _GET and _POST variables. I think this is recommended against in the PHP documentation: http://php.net/manual/en/function.extract.php

"Warning

Do not use extract() on untrusted data, like user input (i.e. $_GET, $_FILES, etc.). If you do, for example if you want to run old code that relies on register_globals temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that’s defined in variables_order within the php.ini."

I’m attempting to include a patch that eliminates the dependency on extract()ing directly into the namespace. There were just a few variables that appeared to need explicit fetching out of $_POST. I hope the patch pasted into the forum is usable. If not, please let me know where I can email it. This was made against the CVS repository. I hope that’s the correct place.

If this is not an appropriate patch, for instance if I’ve missed any variables, or if it’s preferred to use extract more carefully, please let me know and I’ll try to improve this.

I look forward to contributing more in the future.

Thanks,
Andrew Moore

Index: setup.php

RCS file: /cvsroot/openemr/openemr/setup.php,v
retrieving revision 1.44
diff -u -r1.44 setup.php
– setup.php   1 Apr 2010 20:06:21 -0000       1.44
+++ setup.php   14 Apr 2010 14:13:15 -0000
@@ -9,9 +9,6 @@
   return $s;
}

-//required for normal operation because of recent changes in PHP:
-extract($_GET);
-extract($_POST);
//turn off PHP compatibility warnings
ini_set(“session.bug_compat_warn”,“off”);

@@ -84,6 +81,7 @@
       
<?php
  if ($state == 7) {
+   $iuser = $_POST;
?>

<p>Congratulations! OpenEMR is now installed.</p>
@@ -134,6 +132,7 @@
   $iuser = $_POST;
        $iuname = $_POST;
        $igroup = $_POST;
+        $inst = $_POST;

   /*******************************************************************
        $openemrBasePath = $_POST;

sunsetsystems wrote on Wednesday, April 14, 2010:

Much more relevant is the use of this in interface/globals.php, which is invoked by just about everything.  If you’d like to work on that, I suggest removing extract() there and then do lots of testing to see what breaks, and fix it.

You can use the Tracker to post patches: https://sourceforge.net/tracker/?group_id=60081&atid=493003

Rod
www.sunsetsystems.com

acmoore wrote on Wednesday, April 14, 2010:

Thanks. I’ve added this patch to the tracker.

I see the call to extract() in globals.php. That one is going to be much more work! If I bump up against it in my work, I’ll see what I can do to eliminate it, too.

-Andy

sunsetsystems wrote on Wednesday, April 14, 2010:

It might not be too bad.  I’ve generally removed dependencies on register_globals as they were encountered, so there’s probably not much left.  Mostly the task is about extensive testing.

Rod
www.sunsetsystems.com

bradymiller wrote on Thursday, April 15, 2010:

hi,
Just committed your patch to the development tip.
thanks,
brady

bradymiller wrote on Thursday, April 15, 2010:

Also, to confirm. Yes, the cvs repository is the right place to make the patch from. We have some developer docs here:
http://www.openmedsoftware.org/wiki/Main_Page#Developer_Manuals

acmoore wrote on Thursday, April 15, 2010:

Thanks, Brady!
-Andy