[vox-tech] php security (was: another php question)

Tim Riley vox-tech@lists.lugod.org
Thu, 06 Jun 2002 21:00:39 -0700 

Samuel Merritt wrote:

> On Thu, Jun 06, 2002 at 02:12:25PM -0700, Tim Riley wrote:
> >
> >
> > Matt Roper wrote:
> >
> > > With this solution, what keeps people from using something like
> > > "../../../etc/shadow" as $arg?  You'd probably need to strip out slashes
> > > and ..'s to be safe...
> > >
> > > Matt
> > >
> >
> > Good thinking Matt and Jeff. How about
> >
> > $file2open = ( substr( $arg[ 1 ], 0, 1 ) == "." )
> >                 ? ""
> >                 : $APPLICATION_HOME_DIRECTORY . $arg[ 1 ];
> >
> > This checks the first character for a dot by using the substring function
> > inside
> > the ternary operator. If someone tries to penetrate your system, file2open
> > will fail.
>
> That's not enough. What about foo/../../../etc/shadow ?

Samuel, I don't mean to be critical, but the foo directory doesn't exist,
so this will fail.

Apache uses the DOCUMENT_ROOT mnemonic as its relative
mount point; therefore /etc/everything is protected. (Try opening
http://www.lugod.org/etc/passwd or
http://www.lugod.org/foo/../etc/passwd)

There are many other ways to prevent unscrupulous Internet
users from accessing your files; however, they seem complicated.

-- Tim Riley

>
>
> A real solution, in my mind, is to break up the path using / (or its
> HTML-encoded equivalent, %2f) as a divider, to get a list of directories
> to traverse. Then, traverse directories one by one down the list, and when
> you reach the filename, check to see if you're above
> $APPLICATION_HOME_DIRECTORY.
>
> Alternately, if you don't have files in multiple directories, just check
> the given filename for slashes. If any are found, give an error; else,
> feed them the file.
>
> Yet another way (I'm on a roll tonight) is to have a table in your
> function, mapping (say)
>
> 1 => "/home/me/cars/mustang.dat"
> 2 => "/home/me/cars/camaro.dat"
> ... etc.
>
> Then, just access /path/to/script.php?file=N to get a file displayed, and
> look up N in your table, and display the appropriate file or give an
> error.
>
> > >
> > > On Thu, Jun 06, 2002 at 12:20:31PM -0700, Tim Riley wrote:
> > > > An easy way around exposing /etc/anything is to do what Apache does with
> > > > HTML documents: only reference documents inside a relative directory.
> > > >
> > > > e.g., $file2open = $APPLICATION_HOME_DIRECTORY . $arg[ 1 ]
> > > >
>
> --
> Samuel Merritt
> PGP key is at http://wwwcsif.cs.ucdavis.edu/~merritt/snmerritt.asc
> Information about PGP can be found at http://www.mindspring.com/~aegreene/pgp/
>
>   ------------------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature