[vox-tech] php security (was: another php question)

Samuel Merritt vox-tech@lists.lugod.org
Thu, 6 Jun 2002 20:39:17 -0700 

--6TrnltStXW4iwmi0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jun 06, 2002 at 02:12:25PM -0700, Tim Riley wrote:
>=20
>=20
> Matt Roper wrote:
>=20
> > With this solution, what keeps people from using something like
> > "../../../etc/shadow" as $arg?  You'd probably need to strip out slashes
> > and ..'s to be safe...
> >
> > Matt
> >
>=20
> Good thinking Matt and Jeff. How about
>=20
> $file2open =3D ( substr( $arg[ 1 ], 0, 1 ) =3D=3D "." )
>                 ? ""
>                 : $APPLICATION_HOME_DIRECTORY . $arg[ 1 ];
>=20
> This checks the first character for a dot by using the substring function
> inside
> the ternary operator. If someone tries to penetrate your system, file2open
> will fail.

That's not enough. What about foo/../../../etc/shadow ?=20

A real solution, in my mind, is to break up the path using / (or its=20
HTML-encoded equivalent, %2f) as a divider, to get a list of directories=20
to traverse. Then, traverse directories one by one down the list, and when=
=20
you reach the filename, check to see if you're above=20
$APPLICATION_HOME_DIRECTORY.=20

Alternately, if you don't have files in multiple directories, just check=20
the given filename for slashes. If any are found, give an error; else,=20
feed them the file.=20

Yet another way (I'm on a roll tonight) is to have a table in your=20
function, mapping (say)

1 =3D> "/home/me/cars/mustang.dat"
2 =3D> "/home/me/cars/camaro.dat"
=2E.. etc.=20

Then, just access /path/to/script.php?file=3DN to get a file displayed, and=
=20
look up N in your table, and display the appropriate file or give an=20
error.=20

> >
> > On Thu, Jun 06, 2002 at 12:20:31PM -0700, Tim Riley wrote:
> > > An easy way around exposing /etc/anything is to do what Apache does w=
ith
> > > HTML documents: only reference documents inside a relative directory.
> > >
> > > e.g., $file2open =3D $APPLICATION_HOME_DIRECTORY . $arg[ 1 ]
> > >

--=20
Samuel Merritt
PGP key is at http://wwwcsif.cs.ucdavis.edu/~merritt/snmerritt.asc
Information about PGP can be found at http://www.mindspring.com/~aegreene/p=
gp/

--6TrnltStXW4iwmi0
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9ACrka6Tf6HA+Z6IRAp0LAJ0cuzv1Ko60QNTvf2jRBbl+dHBKgwCdFCif
n8iwHXX+ZpETgjzdekTkZaI=
=xE8k
-----END PGP SIGNATURE-----

--6TrnltStXW4iwmi0--