[vox-tech] php security (was: another php question)

Jeff Newmiller vox-tech@lists.lugod.org
Fri, 7 Jun 2002 09:51:14 -0700 (PDT) 

On Fri, 7 Jun 2002, Tim Riley wrote:

> Jeff Newmiller wrote:
> 
> > On Thu, 6 Jun 2002, Tim Riley wrote:
> >
> > > Samuel Merritt wrote:
> > >
> > > > On Thu, Jun 06, 2002 at 02:12:25PM -0700, Tim Riley wrote:
> > > > >
> > > > > Matt Roper wrote:
> > > > >
> > > > > > With this solution, what keeps people from using something like
> > > > > > "../../../etc/shadow" as $arg?  You'd probably need to strip out slashes
> > > > > > and ..'s to be safe...
> > > > > >
> > > > > > Matt
> > > > > >
> > > > >
> > > > > Good thinking Matt and Jeff. How about
> > > > >
> > > > > $file2open = ( substr( $arg[ 1 ], 0, 1 ) == "." )
> > > > >                 ? ""
> > > > >                 : $APPLICATION_HOME_DIRECTORY . $arg[ 1 ];
> > > > >
> > > > > This checks the first character for a dot by using the substring function
> > > > > inside the ternary operator. If someone tries to penetrate your system, file2open
> > > > > will fail.
> > > >
> > > > That's not enough. What about foo/../../../etc/shadow ?
> > >
> > > Samuel, I don't mean to be critical, but the foo directory doesn't exist,
> > > so this will fail.
> >
> > If they can figure out _any_ directory name, conceptually they can do
> > this... foo is a conceptual idea, not an actual directory name. <snip>
> 
> Oh.
> 
> What about:
> 
>  $file2open = ( strstr( $arg[ 1 ], ".." ) )
>                  ? ""
>                  : $APPLICATION_HOME_DIRECTORY . $arg[ 1 ];
> 
> Strstr() is the string search function, and here if it finds two adjacent dots, the
> ternary operator will successfully return an empty filename. Can a hacker
> get out of this jail?

I don't think she could.  However, "myfile..is..ok" is a valid, if
unusual, filename that would cause problems if you or someone else tried
to use it.  The "realpath()" solution would be more robust and less likely
to cause puzzling failures in the future, but would require more cpu
cycles on each access... choose your evil.

[...]

> > Though I am not a PHP user, this would strike me as a prime candidate for
> > a standard feature of this kind of environment.  Looking in the PHP manual
> > briefly, I find "realpath", which looks like a good candidate tool to help
> > straighten this mess out and allow simple programmatic confirmation that
> > the file is in the appropriate area of the filesystem.  There may be even
> > better library routines... but this seems pretty easy to build a
> > "die_if_someone_is_hacking()" routine with.

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------