Security false positives thrown for eval (… )
-
Hi
Perhaps a bit of of an edge-case issue we’ve found, perhaps not edge-case. But an issue none the less.
We currently apply the 7G Firewall Rules from PerishablePress on our site. The query string module of the firewall contains two lines which block any substring request containing “eval” in the setting name.
RewriteCond %{QUERY_STRING} (e|%65|%45)(v|%76|%56)(a|%61|%31)(l|%6c|%4c)(.*)(\(|%28)(.*)(\)|%29) [NC,OR] RewriteCond %{QUERY_STRING} (concat|eval)(.*)(\(|%28) [NC]We have a number of snippets delivered with WPCode which instruct to check for respective nonce values. These values are also dynamically generated by our PHP code. With each snippet active individually, they all function perfectly. With two or more of these snippets active at the same time, the snippets fail on submission with the following reported in the wpcode error log:
2023-08-24T06:12:18+00:00 Cannot redeclare contact_form_shortcode() (previously declared in /home/obfuscated/public_html/wp-content/plugins/insert-headers-and-footers/includes/class-wpcode-snippet-execute.php(277) : eval()'d code:2)The file “class-wpcode-snippet-execute.php” contains one ‘eval()’ function on line 277, and contains elsewhere in the code several ‘eval’ references, and also includes the word “beval”, itself containing the word ‘eval’. The eval function of this file on line 277 is being used in the context of executing our dynamically generated PHP code (our nonce checks) when all snippets are active. Hence, because ‘eval’ substrings are blocked by the firewall, the code fails when all are active, but each function perfectly when it is the only one active.
A point of note, the 7G firewall doesn’t check for the proper ‘eval (…)’ regular expression, which your file “class-wpcode-snippet-execute.php” actually serves. Instead it blocks any request containing ‘eval’ as part of the expression, which is why I mentioned there are other eval references in your code. Anyway, by commenting out the ‘eval’ rules from the 7G firewall, all of the snippets function perfectly when all of the snippets are active at the same time.
I spoke with PerishablePress regarding the same conflict that arose with the WPForms plugin earlier this year, and they don’t intend to modify the ‘eval’ ruleset. Or at least they didn’t at that time. Safety first and all that. And I’m seeing more notes elsewhere advising to not use ‘eval(…) eval() – JavaScript | MDN (mozilla.org). So in this instance with WPForms, WPForms responded by modifying the ‘eval’ reference within their code that was behind the problem. You can see that discussion in the link below.
Error loading block: the response is not a valid JSON response | www.remarpro.com
I just wanted to bring this to your attention as more errors may become reported by users as the 7G and 8G firewall rules furnish more servers with time, if they’re trying to handle the execution of similar code. It would appear that DreamShield incorporated all or part of the 7G ruleset earlier this year, and I remember seeing AIOWPS had mentioned looking to incorporate 7G too (currently use 5G and 6G), although that was perhaps a year ago or so. Perhaps with the above knowledge, similar errors/conflicts you have seen reported and been unable to resolve elsewhere may now become clear as to their potential cause. Or maybe you’ve already seen it, I don’t know.
I don’t require assistance so please don’t prioritise getting back to me. I’m going to look to replace the ‘eval’ code in the file with a combination of ‘create_function’ and anonymous functions, which will be a safer alternative while keeping the ‘eval’ firewall ruleset intact. We really need those intact on this project.
Thanks for looking, Matt
- The topic ‘Security false positives thrown for eval (… )’ is closed to new replies.
