[vox-tech] php security (was: another php question)
Peter Jay Salzman
vox-tech@lists.lugod.org
Thu, 6 Jun 2002 12:05:31 -0700
begin Matt Roper <matt@mattrope.com>
> On Thu, Jun 06, 2002 at 11:04:19AM -0700, Peter Jay Salzman wrote:
> ...
> > is there a way to pass a variable to a php3 href so i can have one file
> > that does a reading, but with an argument of which data file to read?
> > something like:
> >
> >
> > Click on your favorite car:
> > <UL>
> > <LI><A href="display_stats.php3" arg="mustang.dat">mustang</A>
> > <LI><A href="display_stats.php3" arg="beetle.dat">beetle</A>
> > ...
> > </UL>
> >
> > can i do this sort of thing with php3?
>
> I think what you want is
>
> <UL>
> <LI><A href="display_stats.php3?arg=mustang.dat">mustang</A>
> <LI><A href="display_stats.php3?arg=beetle.dat">beetle</A>
> ...
> </UL>
>
> After doing this, your display_stats page can read the argument from
> $arg. Note that you still need to do some checking to make sure people
> don't craft a url like "display_stats.php3?arg=/etc/shadow" -- this can
> be a security hole if you use the filename directly without checking it
> first.
that's really cool -- i didn't know you could do this sort of thing.
it's ... "cgi-like".
your warning sends chills up my spine, though.
i'd check which files are allowed to open, rather than which files are NOT
allowed to open (too many files to protect). something like:
if ($arg != "beetle.dat" && $arg != "mustang.dat" && ... ) {
system("mail -s "funny business on the php page" p@dirac.org");
blah blah blah
}
btw, what should "blah blah blah" be? just an empty return statement?
would that be secure?
if someone tries something evil, i'd like to be sent email notification.
maybe even blacklist the ip address that was doing the monkey business.
anyway
it never occured to me to check for this. the prospect of someone
forging an url and gaining access to something like /etc/shadow is
frightening!
actually -- even better -- is there a directive to tell php "you're only
allowed to open files in /www/p/Adventuring" or something like that?
pete
ps- thanks for the warning. i never would've thought of this!