search

FloeDesignTechnologies / phpcs-security-audit

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code
GNU General Public License v3.0
712 stars 85 forks source link

Bug of PHPCS_SecurityAudit.Drupal7.AdvisoriesContrib.D7ErrAdvisoriesContribFoundMinor #35

Closed chinlung-chang closed 5 years ago

chinlung-chang commented 5 years ago

I installed a drupal7 and module ctools 7.x-1.15. But phpcs gave me following message:

FILE: ...sites/bl/modules/contrib/ctools/ctools_ajax_sample/ctools_ajax_sample.info

FOUND 1 ERROR AFFECTING 1 LINE

1 | ERROR | Module ctools 7.x-1.15 contains security issue and must be updated | | to at least 7.x-1.3. Details: SA-CONTRIB-2013-041 | | CVE-2013-1925 | | (PHPCS_SecurityAudit.Drupal7.AdvisoriesContrib.D7ErrAdvisoriesContribFoundMinor)

The ctools 7.x-1.15 is later relase than 7.x-1.3. The code contains logic error.

jmarcil commented 5 years ago

Hello @chinlung-chang,

good catch!

The problem occurs when comparing versions with only one digit after the decimal point. Thus, 1.15 would be compared with 1.30 while it's actually 1.03 if you take a look at both in float.

This didn't show back in the days when most of the tests where done on one decimal version numbers but over time it became more apparent as modules went over x.10.

My solution was to rename modules versions with a 0 on decimal when needed such as 1.3 becoming 1.03 and then comparing that with the CVE number.

I will commit a fix to master.

Thanks!