ID: 32836 Updated by: [EMAIL PROTECTED] -Summary: sesser Reported By: kkrusteff at intergenia dot de Status: Closed Bug Type: Unknown/Other Function Operating System: linux PHP Version: 4.3.10 New Comment:
wtf Previous Comments: ------------------------------------------------------------------------ [2005-04-27 12:11:09] [EMAIL PROTECTED] This is not a bug in PHP but in glibc realpath() If you are unable to strip ../ from your user input, then either report this as bug in realpath() to the glibc folks or simply change your OS to a bsd. (Or use the hardening patch from the hardened-php project ;) ------------------------------------------------------------------------ [2005-04-27 09:06:55] kkrusteff at intergenia dot de No matter what you call it or verify your inputs, it's a BUG. In no other language / shell / usual program in unix/linux you can do such thing and to be accepted as valid file! This file does NOT actually exists. Why including it results in getting wrong file?. Wrong parsing in include() function? Yes, no doubt. Please don't tell people 'verify your inputs'. Sometimes it's not possible. Or they should execute 'readlink -f ' before including? or do other weird stuff to avoid this case. Or what? ------------------------------------------------------------------------ [2005-04-27 04:46:58] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php Validate your inputs. ------------------------------------------------------------------------ [2005-04-26 15:53:31] slavi at imperia dot net See "#29949 Relative include() sometimes works as expected." ( http://bugs.php.net/bug.php?id=29949 ) I think it describes the same problem. ------------------------------------------------------------------------ [2005-04-26 13:58:31] kkrusteff at intergenia dot de Description: ------------ Frequently used way to include lang file include("./lang/login.php.$_REQUEST["lang"]); The problem is if in URL use lang=../../../../../../../../../../etc/hosts and we get the host file from computer. Reproduce code: --------------- <?PHP include("./lang/login.php.../../../../../../../../../../etc/hosts"); ?> //or <?php include("./lang/login.php.../../../../../../../../../etc/hosts"); ?> //that's will show the host file Expected result: ---------------- file not found Actual result: -------------- that's will show the host file or other file .. if you know the path ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=32836&edit=1