Zend Module Installer

zhhealthcare wrote on Monday, January 06, 2014:

Help me understand this: you are saying that a module that “May” be contributed to be installed using the Module installer “May” cause problems. Hence do no accept the Module Installer.

My question is, do you have a problem with the Module installer per se assuming (without accepting) that a given module passes muster?

Or is it your contention that the Module installer itself has non-secure items within it? If it is the latter we can fix that.

Thanks and Regards,
Jacob T.Paul
ZH Healthcare

kchapple wrote on Monday, January 06, 2014:

In my opinion, I don’t believe that this is a good approach for a plugin/module loader for OpenEMR. I don’t see a reason to integrate the Zend Framework. If there was a clearly defined path to migrate all of OpenEMR into Zend Framework, then and only then would this approach make sense to me.

OpenEMR already has components for ACL, Database abstraction, etc. In fact, OpenEMR already has a type of “module loader” in the forms interface (as Kevin alluded to.)

My suggestion is that we help ZH enhance and secure the existing form plugin framework to be more flexible to include these types of modules.

If ZH has code written in Zend Framework, they can integrate their code at the level of this new module loader that doesn’t introduce a number unnecessary files and impose an extremely complex structure on newly developed modules.

Ken
ken@mi-squared.com

yehster wrote on Monday, January 06, 2014:

Security is not my only concern with your approach. It was just the topic I choose to comment on first.

zhhealthcare wrote on Tuesday, January 07, 2014:

Hi,

We have attached two documents, one lists the security features we already used in Module Installer and the other lists the security mechanisms supported by ZF2. The Zend prevents sql injection in the case of placeholder values. We are able to return the correct sql insert id. The logging mechanism is logging all the queries as in OpenEMR logs.

Thanks and Regards,
ZH Healthcare

bradymiller wrote on Tuesday, January 07, 2014:

Hi ZH,

I am assuming this is to answer my questions above, which were sort of trick questions

1.Regarding your security document above, how do you plan to secure the following from sql injection:
SELECT * FROM $variable_table_name WHERE ‘value’=? ORDER BY $variable_direction LIMIT $variable_limit
(note there are functions within openemr database engine that do these things already)

I am asking you how you are going to escape the $variable_table_name, $variable_direction and $variable_limit variables in the above sql statement. You can’t use parameters there; note this has been dealt with in openemr’s current database scheme/functions.

2.Are you able to insert a new sql row of data and correctly return the insert row id?

Ensure your log function insert call does not replace the id. This was a super annoying bug that has been dealt with in openemr’s current database scheme/functions and was operating system and php version dependent (for example, this is why openemr did not used to work on newer xampp versions in the past).

3.Is your log function doing the same thing as the original log function in openemr?

Your log function is 8 lines and the one in openemr now is using a library of code about 500 lines long…
library/log.inc
You are missing md5sums, ATNA connections, categorization, etc…

Additionally, just by looking at the code, your method of recreating the sql queries that use binding is not in the same format and will break if there are any ‘?’ symbols in the data fields.

Please note this is only the beginning of converting to another database engine…

Regarding security, Zend does give you tools in the security aspect, but important to note that there seems to be nothing there that does not yet already exist in openemr’s library, except for the javascript and css escaping functions, which would very useful to analyze and also get it within openemr’s native codebase at some point for non-zend stuff.

-brady
OpenEMR

zhhealthcare wrote on Tuesday, January 07, 2014:

Hi Brady,

Regarding point no.1 did you mean dealing with a script like the following:

$table  = 'users WHERE 1=1#';
$where = " WHERE id = ?";
$sql = "SELECT * FROM $table $where";
$res = sqlStatement($sql, array(1));
while ($row = sqlFetchArray($res)) { 
echo '<pre>'; print_r($row);
}

if not please clarify.

Regarding point no.2, we are getting the correct insert id using the zend query.

Regarding point no.3, the log mechanism we created is for simple logging which logs all the queries as in OpenEMR, we will look into the problems you mentioned and will correct it.

Thanks and Regards,
ZH Healthcare

bradymiller wrote on Wednesday, January 08, 2014:

Hi,

1. In you query above, question is how to escape the $table. The functions to do this in native code are here:
   library/formdata.inc.php
   (escape_table_name() and note all the other functions there to escape other elements of the query)
   Note these use sql queries in some instances; my suggestion here is to simply use these functions when needed in Zend when creating the query; wouldn’t make wrappers or anything like that (although, if desired could make a wrapper) since it appears that using two database engines at the same time is not breaking anything (for example your zend database engine and openemr’s native engine seem to be working at the same time currently since globals.php does sql calls)
   (note there is even a function here to deal with the annoying situation when somebody placed caps in a openemr table to work with table if it is in or not caps/not_caps)

2. That is good news, but is something to watch out for in the future. will be good to try it on other OS’s and php versions.

3. My suggestion here, is to not make your own log function, just send it through openemr’s function in library/log.inc :
   auditSQLEvent($sqlquery,boolean(TRUE if worked and FALSE if didn’t work),$param_array);

The next question is what happens when there is an error in the sql query?

-brady
OpenEMR

bradymiller wrote on Wednesday, January 08, 2014:

And another question to think about is how to skip the logging (could make this a parameter in your zQuery function)?
-brady

bradymiller wrote on Thursday, January 09, 2014:

Hi,

Couple more thoughts here on the database stuff:

In interface/modules/zend_modules/config/autoload/global.php:
1.Where are the $GLOBALS[‘login’] etc. being taken from? I can’t see where these are being set (I assumed it was from sqlconf.php but don’t see the globals set there). And if this isn’t being set correctly, then how is it working?
2.Need to support the port also
3.Note there is a flag in sqlconf.php to allow setting of UTF8 vs not UTF8 ($disable_utf8_flag), so should have the set NAMES UTF8 dependent on that.

Regarding zQuery function, would be nice to have something like:
zQuery($query,$params=’’,$log=TRUE,$error=TRUE)
Then with a couple lines you can support all required stuff from one function in the Zend database engine. And as above, rec just calling auditSQLEvent() for the logging.

-brady
OpenEMR

bradymiller wrote on Monday, January 13, 2014:

Hi,

Regarding the inclusion/exclusion of the actual Zend2 library in the codebase. Nicely, this can be decided on later down the road because of ZH’s most recent improvement above (can essentially set whatever path you want for the Zend2 library).

Here’s what appears to be needed to install the Zend libraries and get it configured with php:
http://framework.zend.com/manual/2.1/en/ref/installation.html

It does not appear to be nearly as simple as installing a package like curl would be in ubuntu:
sudo apt-get install php5-curl

Does anybody know of a mechanism or package in ubuntu (figured this is a good os to start to look into this) that can install the zend2 library like the above curl dependency was installed (ie. installed via a package)?

-brady
OpenEMR

kchapple wrote on Monday, January 13, 2014:

A common practice these days to manage dependencies for web projects made of various components is to use composer.

http://getcomposer.org/

Kenneth Chapple
ken@mi-squared.com

On Jan 12, 2014, at 8:41 PM, Brady Miller wrote:

Hi,

Regarding the inclusion/exclusion of the actual Zend2 library in the codebase. Nicely, this can be decided on later down the road because of ZH’s most recent improvement above (can essentially set whatever path you want for the Zend2 library).

Here’s what appears to be needed to install the Zend libraries and get it configured with php:
http://framework.zend.com/manual/2.1/en/ref/installation.html

It does not appear to be nearly as simple as installing a package like curl would be in ubuntu:
sudo apt-get install php5-curl

Does anybody know of a mechanism or package in ubuntu (figured this is a good os to start to look into this) that can install the zend2 library like the above curl dependency was installed (ie. installed via a package)?

-brady
OpenEMR

Zend Module Installer

Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/openemr/discussion/202506/

To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/

–
Please be aware that e-mail communication can be intercepted in
transmission or misdirected. Please consider communicating any sensitive
information by telephone. The information contained in this message may be
privileged and confidential. If you are NOT the intended recipient, please
notify the sender immediately with a copy to hipaa-security@mrsb-ltd.com and
destroy this message.

iankarlwallace wrote on Monday, January 13, 2014:

Detailed instructions on adding Zend via composer is available at:

http://framework.zend.com/downloads/composer

ian

On Sun, Jan 12, 2014 at 10:33 PM, ken [at] mi-squared [dot] com <
kchapple@users.sf.net> wrote:

A common practice these days to manage dependencies for web projects made
of various components is to use composer.

http://getcomposer.org/

Kenneth Chapple
ken@mi-squared.com

On Jan 12, 2014, at 8:41 PM, Brady Miller wrote:

Hi,

Regarding the inclusion/exclusion of the actual Zend2 library in the
codebase. Nicely, this can be decided on later down the road because of
ZH’s most recent improvement above (can essentially set whatever path you
want for the Zend2 library).

Here’s what appears to be needed to install the Zend libraries and get it
configured with php:
http://framework.zend.com/manual/2.1/en/ref/installation.html

It does not appear to be nearly as simple as installing a package like
curl would be in ubuntu:
sudo apt-get install php5-curl

Does anybody know of a mechanism or package in ubuntu (figured this is a
good os to start to look into this) that can install the zend2 library like
the above curl dependency was installed (ie. installed via a package)?

-brady
OpenEMR

Zend Module Installer

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/openemr/discussion/202506/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

–
Please be aware that e-mail communication can be intercepted in
transmission or misdirected. Please consider communicating any sensitive
information by telephone. The information contained in this message may be
privileged and confidential. If you are NOT the intended recipient, please
notify the sender immediately with a copy to hipaa-security@mrsb-ltd.comand
destroy this message.

Zend Module Installerhttp://sourceforge.net/p/openemr/discussion/202506/thread/b515b5bd/?limit=25&page=1#d23a/35b6

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/openemr/discussion/202506/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

–
Ian Wallace - PGY 3 Ventura Residency Family Medicine © 303.681.5732

mdsupport wrote on Wednesday, January 15, 2014:

Composer based release mechanism probably addresses concerns about malicious installs. Is following possible?

1. No changes to current standard code
2. Module installer (or zf2 module) is published on sourceforge as a ‘common’ module under something like OpenEMR Optional Modules folder.
3. Each contributed module shown in the OpenEMR Optional Modules folder.
4. Module installation instructions will ask or possibly run script to
   . Install composer (if not already present)
   . Add lines to composer.json and require files.

Each module will then pull in module installer/common zf2 module code (if not already present) which in turn will pull in zf2 code from zend (if not already present).

zhhealthcare wrote on Thursday, January 16, 2014:

Hi,

We are accomodating the log functinality as in the OpenEMR to zend modules. For some clarifications we have contacted Visolve and they are working on the documentation of the logging mechnanism and will provide it once it is complete. Once we get it from them we will do the required changes and will commit it.

Thanks and Regards,
ZH Healthcare

bradymiller wrote on Thursday, January 16, 2014:

Hi,

This sounds like a unnecessary delay(waiting on another entity to produce documentation, reproducing working code, etc.). Why not just use/wrap auditSQLEvent(), which will take 1 minute, rather than several months, so can keep moving forward on this?

-brady
OpenEMR

bradymiller wrote on Thursday, January 16, 2014:

Note that akin to the forms module, there will likely be zend modules that are installed already on a default install (such as the stuff for MU2), thus module installer and/or zf2 code will likely need to be supported out of the box on a new install.
-brady

yehster wrote on Thursday, January 16, 2014:

When ZH releases their modules for MU2 functionality under an appropriate Open Source license, then I will personally contribute more time and effort to getting Zend into the OpenEMR install process neatly and cleanly.

As an example, we could have the zend framework files in a .tar/.zip that gets unpackaged by the installer automatically. However I would want to make sure that such a package could be built directly from official Zend source. Any customizations to address OpenEMR specific security issues like injection and logging would need to be cleanly isolated as they are with Adodb, so there is more or less “drop-in” compatibility.

On the other hand, if the MU2 modules are going to be something which ZH only provides users who approach them as is the case with the Offsite portal, I will likely reconsider my level of contributions to the project.

mdsupport wrote on Thursday, January 16, 2014:

If zf2 is going to be required as part of core functionality, we should get the zf2 install process in place early. Looks like you can do apt-get zend server but not framework. So composer may be good option to try with OpenEMR as the project where both openemr and zf2 get pulled in from git by composer.

kchapple wrote on Thursday, January 16, 2014:

So composer may be good option to try with OpenEMR as the project where both openemr and zf2 get pulled in from git by composer.

I think this is a good idea. It’s a flexible solution that could be used to extend OpenEMR using third party components in the future. It can also be used to configure what modules you want to include in your installation.

Ken

bradymiller wrote on Friday, January 17, 2014:

Hi,
Some things to think about are keeping it simple for users to install and for them to not rely on a network connection. After seeing that it is not straightforward to bring in the zf2 library, beginning to lean towards placing the zf2 library, which is rather small, in the openemr package…
-brady
OpenEMR