I was a bit taken back today after stumbling across this pdf by Dr. Wolf-Fritz Riekert https://share.ieservices.de/downloads/documents/Wordpress_Flowplayer_Plugin_pash-m_recent_version.pdf

Google translated version

Seems my plugin and the code therein has been the subject of a study, after perusing the google translation of the document I can see some very interesting concepts on how to improve the plugins integration with wordpress itself, I have sent an email Dr. Wolf-Fritz Riekert, asking if I can take his concepts and apply them to my code, so have a read and check back for version 2.1.0.0 soon,

Also of note the authors at Flowplayer.org have also granted me permission to use the latest verison of flowplayer, this will be rolled into 2.1.0.0

Remember to request features please use my Trac system.

Update:Dr. Wolf-Fritz Riekert has gotten back to me, this study is in fact the work of a group of students, the project leader of which was Martin Wörz, of ieservices.de, I’ll be liaising with him over the concepts in the study.

For security newer distros of RHEL and their derivatives an mounting /tmp with the noexec option.

Now if you have ever had to clean up a compromised web app you can see why this makes a lot of sense, and if not here’s a quick example.

Yours/Clients web app becomes compromised, running kernel has a buffer overflow that can lead to privilege escalation, attack writes out their code and compiles in /tmp, then runs said app from /tmp creating a pseudo root level shell, aka you’ve just been root kitted.

However there are legitimate reasons for using /tmp to compile, well I say legitimate, what I in fact mean is things like pecl, which you use to install extensions like APC require this …

workaround:

export TMPDIR='/a/paTh/your/user/can/write/to'

Failing that:

service httpd stop

DO NOT ALLOW ANY WEBAPP ACCESS WHILE NOEXEC IS IN USE!

mount -o,remount,rw,exec /tmp
pecl install apc
mount -o,remount,rw,noexec /tmp

DO NOT REMOVE THE NOEXEC OPTION IN /ETC/FSTAB PERMANENTLY YOU WILL REGRET DOING SO

Redhat bug 537535

Take for instance this code saved as test.php.png

<?PHP
print_r($_POST);
?>

Low and behold this will render out the entire post array! and will interpret the php itself, now lets be clear here the proper use of selinux and directory structures to prevent UGC from being allowed to be access directly and / or run arbitrary code would of prevented this, however as is often the case the setup is such that the preventative conditions could not / are not deployed.

At any rate this bug comes courtesy of the apache AddHandler directive,

AddHandler x-httpd-php .php

The statement above seems to ‘loose’ match the .php extension meaning a file simply only contain .php anywhere in it’s filename to be interpreted as PHP.

The suggested work around for this is as follows:

#Workaround for bug here: https://bugzilla.redhat.com/show_bug.cgi?id=537535
<FilesMatch \.php$>
SetHandler x-httpd-php
ForceType text/html
</FilesMatch>

Note this does not effect the AddType directive, after testing on the same version using:

AddType application/x-httpd-php .php

Is not effected by this ‘bug’.

In some situations using a double quotes string is required i.e. “this\nstring\nappears\over\nmany\nlines” …

However in 99% of cases it is used without even thing about in implications of doing so … PHP will infact evaluate any string wrapped in double quotes, this adds a processing overhead, but it seems people do not actually reliase how much in comparrison to using single quotes for the same string.

Take for example this code:

<?PHP
/**
 * double-quotes-are-bad.php ~ D.Busby (Saiweb.co.uk)
 **/
$start = microtime(true);
$var = "This is a stiring it may not actually have anything to be parse within"
        .       " However the issue remains that infact php will attempt to evaluate every char"
        .       " In this string, which in this example may not be so bad, as it's just one string"
        .       " In one file, buit imagine what happens when every string in your webapp uses double quotes";
$end = microtime(true);
$len = strlen($var);
$res = round($end-$start,10);
echo $len.' Chars evaluated in '.$res.' seconds'."\n";

$start = microtime(true);
$var = 'This is a stiring it may not actually have anything to be parse within'
        .       ' However the issue remains that infact php will attempt to evaluate every char'
        .       ' In this string, which in this example may not be so bad, as it\'s just one string'
        .       ' In one file, buit imagine what happens when every string in your webapp uses double quotes';
$end = microtime(true);
$len = strlen($var);
$res2 = round($end-$start,10);

echo $len.' Chars evaluated in '.$res2.' seconds'."\n";

$speed = round((1 - $res2/$res) * 100,2);

echo 'Single quotes are '.$speed.'% faster'."\n";

?>

Now I am running this on a live server, that is serving in excess of 100 pages a second, take a look at the output:

320 Chars evaluated in 1.40667E-5 seconds 320 Chars evaluated in 3.0994E-6 seconds Single quotes are 77.97% faster

320 Chars evaluated in 1.28746E-5 seconds 320 Chars evaluated in 3.0994E-6 seconds Single quotes are 75.93% faster

320 Chars evaluated in 1.3113E-5 seconds 320 Chars evaluated in 2.1458E-6 seconds Single quotes are 83.64% faster

320 Chars evaluated in 1.19209E-5 seconds 320 Chars evaluated in 2.861E-6 seconds Single quotes are 76% faster

320 Chars evaluated in 1.3113E-5 seconds 320 Chars evaluated in 2.861E-6 seconds Single quotes are 78.18% faster

320 Chars evaluated in 1.3113E-5 seconds 320 Chars evaluated in 2.861E-6 seconds Single quotes are 78.18% faster

The improvement is consistently in excess of 75%, so the moral of the story? don’t use “” if you do not need to!

Thanks to everyone along the way who’ve discussed and proven development methods along the way with me, and sorry it’s taken so long to get them written up.

Call to undefined function imagettfbbox()

Either you do not have php GD installed (check your phpinfo(); and see if GD has laoded with TTF support)

Or if you are compiling from source add: –with-gd –with-freetype-dir=/lib64 –with-ttf=/lib64 –enable-gd-native-ttf

to your configure line.

Note: you’ll need gd-devel and freetype-devel libs installed, and im using /lib64 as im running a 64bit OS.