Re: [PHP] opendir security hole

2002-06-03 Thread Analysis Solutions 

On Thu, May 23, 2002 at 11:23:42AM -0400, Analysis  Solutions wrote:
 On Thu, May 23, 2002 at 11:22:28PM +1000, daniel wrote:
  dir=../../../../ it will show you the root dir of the server , how can i
 
 Before passing the $Dir variable to the file functions, clean it up...
 
$Dir = preg_replace('/..\//', '', $Dir);


The initial poster just wrote me off list with a follow up question.  
Here's my reply

Hi:

 $dir = preg_replace('/..\//', '', $dir);

Hmm.  I must have been tired when I wrote that.  . matches 
any character.  Thus ..\/ will match any two characters before a /.  
I should have escaped the periods.  That should have been

   $dir = preg_replace('/\.\.\//', '', $dir);

Sorry.

Now, you are also attempting to strip .. via a whole separate regex.  

 $dir = preg_replace('..', '', $dir);

First, that expression isn't encapsulated in the / delimiters, thus
it's an invalid preg expression.  Second, as in my first regex, you
didn't escape the .  Third, you can do it in the initial expression.

   $dir = preg_replace('/\.\.\/?/', '', $dir);

That translates to find any string that has two periods and maybe one
forward slash.

Enjoy,

--Dan

-- 
   PHP classes that make web design easier
SQL Solution  |   Layout Solution   |  Form Solution
sqlsolution.info  | layoutsolution.info |  formsolution.info
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re[2]: [PHP] opendir security hole

2002-06-03 Thread Stuart Dallas 

On Monday, June 3, 2002 at 3:37:48 PM, you wrote:
$dir = preg_replace('/\.\.\/?/', '', $dir);

Surely a regular expression is overkill for this? It would be more efficient to
use str_replace()...

$dir = str_replace('..', '', $dir);

-- 
Stuart


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] opendir security hole

2002-06-03 Thread Analysis Solutions 

On Mon, Jun 03, 2002 at 08:41:37PM +0100, Stuart Dallas wrote:
 
 Surely a regular expression is overkill for this? It would be more efficient to
 use str_replace()...
 
 $dir = str_replace('..', '', $dir);

Sure.  But you'd need to do two replaces.  First for '../' then for '..'
Not a big deal.  Don't know if that's faster than preg or not.  I'm used
to preg, so am biased toward writing them.  Alas...

Enjoy,

--Dan

-- 
   PHP classes that make web design easier
SQL Solution  |   Layout Solution   |  Form Solution
sqlsolution.info  | layoutsolution.info |  formsolution.info
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] opendir security hole

2002-05-24 Thread daniel 

unfortunatly it still happens
Analysis  Solutions [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 On Thu, May 23, 2002 at 11:22:28PM +1000, daniel wrote:
  dir=../../../../ it will show you the root dir of the server , how can i

 Before passing the $Dir variable to the file functions, clean it up...

$Dir = preg_replace('/..\//', '', $Dir);

 --Dan

 --
PHP classes that make web design easier
 SQL Solution  |   Layout Solution   |  Form Solution
 sqlsolution.info  | layoutsolution.info |  formsolution.info
  T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
  4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] opendir security hole

2002-05-24 Thread daniel 

scuse my ignorance i had it after opendir, thanks for that
Daniel [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 unfortunatly it still happens
 Analysis  Solutions [EMAIL PROTECTED] wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  On Thu, May 23, 2002 at 11:22:28PM +1000, daniel wrote:
   dir=../../../../ it will show you the root dir of the server , how can
i
 
  Before passing the $Dir variable to the file functions, clean it up...
 
 $Dir = preg_replace('/..\//', '', $Dir);
 
  --Dan
 
  --
 PHP classes that make web design easier
  SQL Solution  |   Layout Solution   |  Form Solution
  sqlsolution.info  | layoutsolution.info |  formsolution.info
   T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
   4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409





-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] opendir security hole

2002-05-23 Thread daniel 

hi i am creating a webbased filemanager for uploading files to the database,
to determin which dir i upload to i have the directory in the query string
ie ?dir=blah , i have found a security flaw where if you type
dir=../../../../ it will show you the root dir of the server , how can i
lock into a directory when using opendir ? please let me know thanks



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] opendir security hole

2002-05-23 Thread Analysis Solutions 

On Thu, May 23, 2002 at 11:22:28PM +1000, daniel wrote:
 dir=../../../../ it will show you the root dir of the server , how can i

Before passing the $Dir variable to the file functions, clean it up...

   $Dir = preg_replace('/..\//', '', $Dir);

--Dan

-- 
   PHP classes that make web design easier
SQL Solution  |   Layout Solution   |  Form Solution
sqlsolution.info  | layoutsolution.info |  formsolution.info
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] opendir security hole

2002-05-23 Thread Randy Wilcox 

Use: http://us2.php.net/manual/en/configuration.php#ini.open-basedir

It's also a good idea to always validate the data that comes from the user, especially 
when dealing with file related functions.

Randy

-Original Message-
From: daniel [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 23, 2002 9:22 AM
To: [EMAIL PROTECTED]
Subject: [PHP] opendir security hole


hi i am creating a webbased filemanager for uploading files to the database,
to determin which dir i upload to i have the directory in the query string
ie ?dir=blah , i have found a security flaw where if you type
dir=../../../../ it will show you the root dir of the server , how can i
lock into a directory when using opendir ? please let me know thanks



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php