canary mismatch on efree() - heap overflow detected (functions-basic.php KSES)

I'll preface this by saying I think my issue has to do with PHP but perhaps figuring out what's going on in the functions-basic.php page might help me resolve it.

What's happening (long and detailed):

I've been having this issue with my personal site where it wouldn't load. (Old version of the site was just a blank page - new version is just a "The connection was reset" error - more details on this below)

If I browse directly to an image - the image will load. I can also FTP and SSH in no problems...everything is there. Once I restart Apache the site is fine again - nothing is lost and it was like nothing ever happened. When this happens, it only happens to my personal site...and ONLY to the "www" domain - all sub-domains always work fine (more on that later) No other sites on my server (9 total) have this issue either. Several of them use zen also. I've also checked server load when this happens and nothing abnormal there either.

It's a fairly large site with tons of pics and vids and content so I just thought something was going wacky with the database or the version of zen I was using. As such, I started to build a new site. I got everything going in a new sub-domain (dev). Latest version of zen at the time (1.4.1.2), new database and everything. I didn't want to import any old content just in case something was screwy with the database.

Fast forward several weeks - I now have a working beta site that's completely designed and I am now loading content. It's a fully functional site though. Well, I get this issue with my main site (www) not loading once again. Now that I have a beta site I decide to see what's going on with that...well it loads fine. No issues. And again no issues with the other sites on the server either.

Again if I restart apache all is fine.

Fast forward to going live with the new version of my site. Everything goes well and I'm up and running in no time. The old site now resides under the "dev" sub-domain just in case I missed something or need to revert back for whatever reason. Again all is well. Fast forward again a month or so and now the NEW site isn't loading...this time the error is slightly different - it's a "The connection was reset" error compared to just a blank empty page like before. I can still browse to display an image and also a standard html page loads fine...

NOW, here's the strange thing...when I browse to the old site (that was originally giving me issues and now resides in the "dev" sub-directory) it loads perfectly fine! No issues. And once again all the other sites on the server load fine. I've since added another subdomain to my site for my wifes recipes and that loads fine too using zen of course). And once again restarting Apache gets the site back up instantly...

Entire error:
ALERT - canary mismatch on efree() - heap overflow detected (attacker 'XX.XXX.XXX.XXX', file 'zp-core/template-functions.php', line 810

Like I said research says it's possible something to do with PHP but it's always related to functions-basic.php line 810.

Everything in that area of the page is below:

/** returns a sanitized string for the sanitize function
* @param string $input_string
* @param string $sanitize_level
* @return string the sanitized string.
*/
function sanitize_string($input_string, $sanitize_level) {
global $_user_tags, $_style_tags;
// Strip slashes if get_magic_quotes_gpc is enabled.
if (get_magic_quotes_gpc()) {
$input_string = stripslashes($input_string);
}
// Basic sanitation.
if ($sanitize_level === 0) {
return str_replace(chr(0), " ", $input_string);
}
// User specified sanititation.
if (function_exists('kses')) {
switch($sanitize_level) {
case 1:
$allowed_tags = getAllowedTags('allowed_tags');
$input_string = html_entity_decode(kses($input_string, $allowed_tags));
break;

// Text formatting sanititation.
case 2:
$allowed_tags = getAllowedTags('style_tags');
$input_string = html_entity_decode(kses($input_string, $allowed_tags));
break;
// Full sanitation. Strips all code.
case 3:
$allowed_tags = array();
$input_string = html_entity_decode(kses($input_string, $allowed_tags));
break;
}
} else { // in a basic environment--allow NO HTML tags.
$input_string = strip_tags($input_string);
}
return $input_string;
}

Line 810 specifically is:
$input_string = html_entity_decode(kses($input_string, $allowed_tags));

So I guess my question is what is going on with kses - it seems to only error every several weeks or so. I haven't been able to figure out what triggers it but perhaps someone with fresh eyes will be able to help.

Thanks,
Mike
«13

Comments

  • Unfortunately that function is ubiquitous to zenphoto. If you have a stack trace maybe we can tell more. The function is used for processing input to insure it is "clean".
  • What's the best way to generate a stack trace?
  • acrylian Administrator
    Look at the debug log in zp-data if there is anything.
  • Well there's a 5meg debug file with a ton of stuff...lol.

    But mostly invalid folder name errors...but I removed the folder in question so that's not it...especially because that was after the canary mismatch thing we are talking about here. Nothing matches up date wise with the error I'm experiencing either...but these are the other errors...just several spoof attempts...

    {Mon, 16 Apr 2012 02:06:32 GMT}
    Backtrace: Zenphoto encountered an album name spoof attempt: My-Car-Pics/Tyler-State-Park=IMG_8857.jpg=>My-Car-Pics/Tyler-State-Parkâ„‘=IMG_8857.jpg.
    Album->Album called
    from zp_load_album (functions-controller.php [316])
    from zp_load_request (functions-controller.php [520])
    from require_once (controller.php [38])
    from index.php [55]

    I'm going to clear the file and start fresh to see if I can see anything the next time I have the issue...

    Always open to other suggestions...I'm glad it's only happening with my site and no clients sites but still would like to figure it out.

    Much appreciated,
    Mike
  • Well it happened again...no debug errors to be found...
  • fretzl Administrator
    Just curious: Do you use Suhosin ?
    If I Google your error I get lots of results all telling me it's a bug in some Suhosin patch.
  • acrylian Administrator
    My live server has suoshin as well but seems not to cause any issues so far.
  • Well I've read about Suoshin and unless it's part of another app that's installed I'm not using it...not that I know of anyway. But it does pop up with regards to this specific error. I did add suhosin.session.encrypt=off to the php.ini but that didn't work.

    I'm open to suggestions...lol
    Thanks
  • Are you still having the "album name spoof" error you reported above? If so there is a problem with charactersets on your server. (Or someone is really trying to spoof your site.)
  • No like I said I had changed album names and removed those albums that's why I was getting those spoofs...they were linked from other sites but no longer there causing the error logs...

    Since I cleared the logs no errors yet...
  • acrylian Administrator
    I have no idea about the issue. But in case that is unclear Suoshin is a server security extension. You should find an entry on the phpinfo() about that. If you are not running/configuring your own server your host might have setup that and probably does not let you disable it.
  • Yeah there is no mention of suoshin in my phpinfo file...Hmmmmm.

    Thanks so far guys.
  • Edit - I lied...was searching with the wrong spelling...lol

    I do see "Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.23 with Suhosin-Patch"

    and some other Suhosin references...let's see what I can figure out
  • Just got the error again- this time 2 errors of it occurring on line 4538 of template functions...otherwise line 810

    kses again at line 4538:
    $short2 = kses($short.'</p>', $allowed_tags);

    The entire block of code...

    function shortenContent($articlecontent, $shorten, $shortenindicator, $forceindicator=false) {
    global $_user_tags;
    if ($forceindicator || (mb_strlen($articlecontent) > $shorten)) {
    $allowed_tags = getAllowedTags('allowed_tags');
    $short = mb_substr($articlecontent, 0, $shorten);
    $short2 = kses($short.'</p>', $allowed_tags);
    if (($l2 = mb_strlen($short2)) < $shorten) {
    $c = 0;
    $l1 = $shorten;
    $delta = $shorten-$l2;
    while ($l2 < $shorten && $c++ < 5) {
    $open = mb_strrpos($short, '<');
    if ($open > mb_strrpos($short, '>')) {
    $l1 = mb_strpos($articlecontent,'>',$l1+1)+$delta;
    } else {
    $l1 = $l1 + $delta;
    }
    $short = mb_substr($articlecontent, 0, $l1);
    $short2 = kses($short.'</p>', $allowed_tags);
    $l2 = mb_strlen($short2);
    }
    $shorten = $l1;
    }
    $short = truncate_string($articlecontent, $shorten, '');
    // drop open tag strings
    $open = mb_strrpos($short, '<');
    if ($open > mb_strrpos($short, '>')) {
    $short = mb_substr($short, 0, $open);
    }
    // drop unbalanced tags
    // insert the elipsis
    $i = strrpos($short, '</p>');
    if (($i !== false) && ($i == mb_strlen($short) - 4)) {
    $short = mb_substr($short, 0, -4).' '.$shortenindicator.'</p>';
    } else {
    $short .= ' '.$shortenindicator;
    }
    $short = trim(kses($short.'</p>', $allowed_tags));
    return $short;
    }
    return $articlecontent;
    }
  • Man this is still happening...any other ideas? I have several other ZP sites and they don't have these issues...

    What's the deal with kses - what exactly does it do and when does it do it? Can it be disabled?

    Very frustrating...any other help to diagnose this would be grateful.

    I tried a bunch of other server things like disabling Suhosin and other things related to that but nothing has helped...

    Ultimately I know it's a server thing - but it's also somehow related to something ZP is doing on my site specifically...as mentioned I have other ZP installs with NO issues.

    EDIT: I'm wondering if it has something to do when I get a comment? Comments go right into moderation because I get a bit of spam...No other sites are using comments??????

    Thanks,
    Mike
  • acrylian Administrator
    Zenphoto 1.4.3 actually does not use kses itself anymore because it was buggy. It cannot be disable as it is used for clearing content from unwanted html and therefore part of security measures to prevent anyone passing unwanted scripts etc. It also triese to correct html tag closing on text content shortening.
    http://sourceforge.net/projects/kses
  • Hmmm - I guess I'll upgrade ZP then! lol

    We'll see what happens. Thanks
  • acrylian Administrator
    My statement was not correct. Until 1.4.3 we used html-lawned which did not work as expected for us so we replaced it with kses.
  • Let me be exact on this. Prior to 1.4.3 we used a library named htmlawd that contained a version of the kses function. We did use the kses function from this library. Somewhere this library's functionality changed and instead of expunging not allowed html it started encoding them. This caused a security problme for us, so switches to a different version os kses that worked "correctly".

    In addition, we did use the kses function to "balance" html tags when we shortened content--this is the use you have above. The new kses did not do this, so we also had to chnage not to use kses for this purpose. Right off hand I think that this fix did not make it in the released version of 1.4.3, so would require the nightly build.

    So, the recommendation is for you to upgrade to the nightly build.
  • Well I've already upgraded to the latest version (1.4.3 [10393])...NOT a nightly build! I guess I should have waited a bit...Go figure! lol

    None-the-less, the upgrade went fine - but I'm now experiencing an unrelated bug (I think) - should I post elsewhere or do something different?

    The bug:
    (it appears when adding a link to a zenpage page, if the link contains an ampersand (&), such as in a query string, or in the "title" it doesn't display as a link - just text. A plain link works fine.)
  • acrylian Administrator
    Please best don't mix topics within a topic, it gets a bit inconvenient then to search etc. Where did you add a link how? Please also read the note about encoding on the release post.
  • I read the note on encoding but not sure I understand it...when I add a link using TineZenPage and the link isn't even close to being right...so then I use the link icon and paste the link that I know works...which includes a query string - and that doesn't work...
  • acrylian Administrator
    The note means Zenphoto stores text with special chars like ampersands in plain text unencode. We had a similar report on a ticket regarding image links: http://www.zenphoto.org/trac/ticket/2199

    But we are so far not able to reproduce this. I tested including links to a page and an article via tinyZenpage and all works as expected (link is on that ticket). What is not right for you. Please post details and best a link.
  • If I create a new page and add a link - it works. However, there are some existing pages and links that, after the upgrade, are just text and I can't seem to fix them...but there are some existing links that still work...

    However, if I copy the entire page to a new page - it still doesn't work but if I copy just the link to a new page it works...weird...

    Link on homepage is fine:
    http://www.mikemartinelli.com/
    The link is:
    Dynomax VT REVIEW!

    But that same link on another page is just showing as text:
    http://www.mikemartinelli.com/index.php?p=pages&title=ascmclaren-information

    Same text:
    Dynomax VT REVIEW
    (towards bottom)

    This page is all messed up - links and images:
    http://www.mikemartinelli.com/index.php?p=pages&title=DadsLx5.0

    Can i go directly into the DB to fix things?
  • Existing links may have been improperly encoded when they were created. The only solution for this is to either fix the data in the database or delete and re-create the links.
  • I tried deleting and re-creating but that didn't work...I'll just manually go into the database and do whatever I need to do...

    Do I just delete them from the database then re-create in ZP? Or is there something else I need to do in the DB?

    Thanks,
    Mike
  • Just edit the data so that the links are not html encoded.
  • Got it thanks!
  • acrylian Administrator
    You should be able to do this via TinyMCE's html source view as well.
  • I just ended up doing it all in the DB...so far so good...hopefully I don't experience any of the canary mismatch errors anymore!
Sign In or Register to comment.