Adrian Ciutureanu pressed the little lettered thingies in this order...

> $allowed_path = '/www/sites/mysite/teaching';
> $file = realpath($file);
> if(ereg("^$allowed_path", $file)) {
>  // it's OK
> } else {
>  // possible attack!
> }

This is not good code.

A user could replace the $file in the URL with this:
Since it starts with $allowed_path, your code has just been fooled.

The basic problem that I have seen with posts to this thread is the fact 
that many people do not understand how Unix servers address and/or 
secure files. If what I have written above doesn't make any sense, 
please go and pick up a book that covers Unix/Linux security. If you 
don't, you are inviting a security breach.  You may or may not be aware 
of this, but many hackers know Unix, it's security and it's common 
vulnerabilities VERY well and they WILL exploit your code if it is 

Simply checking to see if a particular path exists in the URL will 
NEVER secure this issue.

Here's the script that I use:

$f = ereg_replace("/","",$f);
commonHeader("$f Source Code");
<table border="1" cellpadding="3" cellspacing="0" bgcolor="#FFFFFF">

I explicitly declare the path and I delete all forward slashes. This means 
that if someone tries to send:
They instead send:
And the server interprets this as:

The bottom line is that no files outside of the intended directory will ever 
be viewable through this script, regardless of how clever, smart or 
devious the user might be.

I could have gotten a little more fancy and given warnings if there were 
forward slashes, but the point is this: If you are allowing real file names 
to be passed as the parameter, you HAVE to do one of two things:
1) Strip or otherwise block forward slashes and/or consecutive periods.
2) Declare the file path before the show_source() call and disallow 
consecutive periods (".."), forward slashes or both.  This is the method 
used at slashdot.

Christopher Ostmo
Innovative Application Ideas
Meeting cutting edge dynamic
web site needs since the 
dawn of Internet time (1995)

For a good time,

PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to