RE: [PHP] Security of PHP code

Wed, 04 Jul 2001 23:19:13 -0700 

$allowed_path = '/www/sites/mysite/teaching';
$file = realpath($file);
if(ereg("^$allowed_path", $file)) {
        // it's OK
} else {
        // possible attack!
}

> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: 4 iulie 2001 15:29
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] Security of PHP code 
> 
> 
> 
> > <?
> > $allowed_path  = "/www/sites/mysite/teaching";
> >
> > if (substr($file, 0, str_len($allowed_path)) <> $allowed_path )
> > {
> > die("not allowed!");
> > }
> > else
> > {
> > show_source($file);
> > }
> > ?>
> 
> I've missed part of the discussion, but if my understanding 
> of the issue
> is correct (accepting a filename and path from a visitor to 
> the site to
> display through a PHP script), then this solution is probably
> inadequate...
> 
> If the user passes in a string like
> /www/sites/mysite/teaching/../../../../etc/passwd, the first 
> part of the
> string will pass your validity test, but the user may still be able to
> ascend to a place where files you don't wish to share are stored.
> 
> A better solution may be to pass the filename through some 
> filter and then
> concatenate that to your path. For example:
> 
> if(preg_match("/[^A-Za-z0-9]/", $file)) {
>       die("Invalid filename.");
> }
> else {
>       show_source($path . $file);
> }
> 
> That's an awefully strict way to do it, but that's my 
> personal preference.
> If you must accept information that contains a path, perhaps 
> just check
> for '..' in the user input.
> 
> Anyways, like I say I could be way off base as far as what 
> the discussion
> is actually about, and I haven't had near enough coffee this 
> morning, so
> forgive me if I'm just talking nonsense =)
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: 
> [EMAIL PROTECTED]
> 
> 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to