IT

MG2 0.5.1 migration to PHP 8

Introduction

MG2 0.5.1 (former MiniGal) is a very simple image gallery written by Thomas Rybak (www.minigal.dk). It was released on 28 Feb 2005.

I have been using it since September 2011 probably with PHP version 5.1 back then, and all was fine until migration to PHP 7.4 (after many years being on PHP 5.X) however …

Status

… it doesn’t work on PHP 7.4 / PHP 8

I checked if there is a newer release available, but unfortunately www.minigal.dk domain went offline somewhere between July 9, 2018 and Aug 3, 2018.

Not only that, but traveling back in time using web.archive.org, it turns out that even in 2009 the software was not actively developed:

Download MG2 0.5.1

MG2 is not being actively developed at this time.

www.minigal.dk (Aug 18, 2009)

Faced with a choice what to do, I considered moving to a different image gallery script, but MG2 is really simple, it relies on a flat text file (as database) and is easy to use just upload a bunch of new images and then associate them to a new (or existing album). Not only that, but I have other scripts that now use the pictures/ folder and those scripts would also need migrating.

On the other hand, all modern galleries come with their own specific database, I would have to understand the existing database format to be able to reconstruct the albums into the new layout / database structure and then migrate. And who knows how long the new gallery will get supported ? New software also looks nice in demo mode where everything is carefully chosen to look perfect, but this illusion lasts until you actually have to use it. Then the issues start appearing: the layout breaks or is ugly with your specific set of images, navigation may not be so smooth, themes are heavyweight, etc.

It was obvious that irrespective of the path, I would still have to migrate MG2 to at least PHP 7.4 (at least to be able to understand its database format).

Setting up migration PHP 5 to PHP 7.4

Searching the internet on the best way to migrate from PHP 5 to PHP 7.4 reveals a tedious approach, you have to actually run the code in PHP 7.4 and fix every bug / warning that appears.

This holds true. Once I figured out how to fix an error/working, I looked for similar code and fixed that too – this is a very good way to get familiar with the code base and make sure I’m not forgetting some corner case code.

For migration I have used a fresh W10 instance running:

  1. Visual Studio Code 1.59 (July 2021)
  2. XAMPP 7.4.22 (PHP 7.4.22)

For finding bugs / security issues:

  1. Sonarqube Community Edition 9.0.1 (with PHP support)
  2. Zed Attach Proxy 2.10.0
  3. Wapiti 3.0.5

I tried to use PHP Mess Detector but it was not useful. Ran against MG2 it was mostly complaining about variables not in camel case, or constantly alerting that “else clauses are basically not necessary and you can simplify the code by not using them”. Interesting that else is considered an anti-pattern – are we going back to assembly language – jumps xor fall-troughs ?

While I understand the need to enforce a code style when working in a team, and definitively there is a place for PHPMD – I would like to preserve the legacy of MG2 and not modify variable names nor rewrite code to exclude else clauses.

Additionally, some CVEs were reported throughout the years, and they would have to be tackled too during this revival of MG2 gallery.

CVEs

MG2 (Minigal) 0.5.1 is known to have few bugs:

CVE-2005-3432 – MiniGal 2 (MG2) 0.5.1 allows remote attackers to list password protected images via a request to index.php with the list parameter set to * (wildcard) and the page parameter set to all.

CVE-2006-0493 – Cross-site scripting (XSS) vulnerability in MG2 (formerly known as Minigal) 0.5.1 allows remote attackers to inject arbitrary web script or HTML via the Name field in a comment associated with a picture.

CVE-2008-1228 – Cross-site scripting (XSS) vulnerability in admin.php in MG2 (formerly Minigal) allows remote attackers to inject arbitrary web script or HTML via the list parameter in an import action.

All these bugs are caused by not validating the input data

Code archeology

After a closer analysis of the code – I was impressed, all the code uses IDs to fetch data and show pages, which means that the fix is easy. Before the code starts using the $_REQUEST array, all the IDs have to be validated to be integers, and if not, then replace them with value 1.

There was an admin import action that could be triggered without being admin and that the CVE-2008-1228 above. I have moved this code after the security checks, instead of before them.

Allowing comments was too time consuming to fix as it had a very simplistic way of sanitizing the user input. And since these days all input should be protected against spam bots, it would have been too much to do for a feature that I don’t use. Better have it disabled.

Migrating from PHP 7.4 to PHP 8.0

The changes were mostly even stricter checks for variables (Undefined offset).

There were more bugs that revealed themselves (for example, incorrect format of the root folder entry, once a gallery is set up). This posed no problem in PHP4/5, as they were not complaining about missing indexes, etc, but issue had to be fixed for PHP7 / 8. Plus, many other smaller things.

Summary

The updated code resides here: https://bitbucket.org/viulian/mg2

Goal was to keep the original code as unchanged as possible, while fixing the known CVEs and making it run smoothly in PHP 8.0.

Leave a Reply