Re: [PHP] opendir security hole
On Thu, May 23, 2002 at 11:23:42AM -0400, Analysis Solutions wrote: On Thu, May 23, 2002 at 11:22:28PM +1000, daniel wrote: dir=../../../../ it will show you the root dir of the server , how can i Before passing the $Dir variable to the file functions, clean it up... $Dir = preg_replace('/..\//', '', $Dir); The initial poster just wrote me off list with a follow up question. Here's my reply Hi: $dir = preg_replace('/..\//', '', $dir); Hmm. I must have been tired when I wrote that. . matches any character. Thus ..\/ will match any two characters before a /. I should have escaped the periods. That should have been $dir = preg_replace('/\.\.\//', '', $dir); Sorry. Now, you are also attempting to strip .. via a whole separate regex. $dir = preg_replace('..', '', $dir); First, that expression isn't encapsulated in the / delimiters, thus it's an invalid preg expression. Second, as in my first regex, you didn't escape the . Third, you can do it in the initial expression. $dir = preg_replace('/\.\.\/?/', '', $dir); That translates to find any string that has two periods and maybe one forward slash. Enjoy, --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re[2]: [PHP] opendir security hole
On Monday, June 3, 2002 at 3:37:48 PM, you wrote: $dir = preg_replace('/\.\.\/?/', '', $dir); Surely a regular expression is overkill for this? It would be more efficient to use str_replace()... $dir = str_replace('..', '', $dir); -- Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] opendir security hole
On Mon, Jun 03, 2002 at 08:41:37PM +0100, Stuart Dallas wrote: Surely a regular expression is overkill for this? It would be more efficient to use str_replace()... $dir = str_replace('..', '', $dir); Sure. But you'd need to do two replaces. First for '../' then for '..' Not a big deal. Don't know if that's faster than preg or not. I'm used to preg, so am biased toward writing them. Alas... Enjoy, --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] opendir security hole
unfortunatly it still happens Analysis Solutions [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Thu, May 23, 2002 at 11:22:28PM +1000, daniel wrote: dir=../../../../ it will show you the root dir of the server , how can i Before passing the $Dir variable to the file functions, clean it up... $Dir = preg_replace('/..\//', '', $Dir); --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] opendir security hole
scuse my ignorance i had it after opendir, thanks for that Daniel [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... unfortunatly it still happens Analysis Solutions [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Thu, May 23, 2002 at 11:22:28PM +1000, daniel wrote: dir=../../../../ it will show you the root dir of the server , how can i Before passing the $Dir variable to the file functions, clean it up... $Dir = preg_replace('/..\//', '', $Dir); --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] opendir security hole
hi i am creating a webbased filemanager for uploading files to the database, to determin which dir i upload to i have the directory in the query string ie ?dir=blah , i have found a security flaw where if you type dir=../../../../ it will show you the root dir of the server , how can i lock into a directory when using opendir ? please let me know thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] opendir security hole
On Thu, May 23, 2002 at 11:22:28PM +1000, daniel wrote: dir=../../../../ it will show you the root dir of the server , how can i Before passing the $Dir variable to the file functions, clean it up... $Dir = preg_replace('/..\//', '', $Dir); --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] opendir security hole
Use: http://us2.php.net/manual/en/configuration.php#ini.open-basedir It's also a good idea to always validate the data that comes from the user, especially when dealing with file related functions. Randy -Original Message- From: daniel [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 23, 2002 9:22 AM To: [EMAIL PROTECTED] Subject: [PHP] opendir security hole hi i am creating a webbased filemanager for uploading files to the database, to determin which dir i upload to i have the directory in the query string ie ?dir=blah , i have found a security flaw where if you type dir=../../../../ it will show you the root dir of the server , how can i lock into a directory when using opendir ? please let me know thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php