On Sun, Apr 5, 2009 at 9:06 PM, Brian Williams <[email protected]> wrote: > phpinfo() pish... > > > $user_input = "`rm -Rf /`" > > nuff said. > > in case it wasn't - backticks are basically the short cut to get PHP to > execute something on the command line.
I don't understand how this has any impact on the OP's code. The backticks would simply be written to the log file. If you are careless enough to try to execute a log file as a shell script then you might as well erase your disk. > always check incoming user data. Actually I do not validate incoming data. At least not when it is first received. I assume everything is tainted until it gets to the point of where it really matters and then I validate it there. If I'm writing some field to a database, I always escape the data just before it's inserted so if someone supplies total garbage it doesn't matter. As long as it's escaped it's completely benign (to the database). In fact I would go so far as to say that validating data at the point-of-entry is a coding error. For example, Joomla! validates usernames before it passes them to authentication plugins. This is an error because Joomla! does not know what a valid username is in the context of the external authority. At one point Joomla! would not work with OpenID or Windows Active Directory because it explicitly excluded certain characters that were valid for those external authorities. The proper solution is to allow the authentication plugin to define username validation and provide a default implementation that can easily be overridden. Note that even though validating data when it is first received is not critical to security, escaping output /is/ critical to security. So it's ok to receive garbage. Just don't send garbage. This leads me back to the OP's question of "do I need to validate user input that is written to a log file?". The answer is no but you do need to escape (or rather remove, truncate or flatten) anything that you don't want to end up being read by a program that reads log files like passwords and excessively long messages that might fill up the disk or prevent someone from viewing the log. Mike > On Sun, Apr 5, 2009 at 8:56 PM, Konstantin Rozinov <[email protected]> > wrote: >> >> Hey guys, >> >> I have a question about logging messages. >> >> Is it safe to log unsanitized, unvalidated user-inputted data into a >> logfile? >> >> For example, if I have a function called check_username(), which >> checks that the username only consists of A-Za-z0-9, is it safe to >> have check_username() write to a logfile that it was called on the >> particaular user-inputted string, like so: >> >> Function definition: >> function check_username($username, &$error) >> { >> .. set $log_file... >> >> /* print out informational message. */ >> error_log(__FUNCTION__ . '(' . $username . '): called.', 3, $log_file); >> >> ..check the username for correctness.. >> } >> >> Function called like so: >> check_username('$_POST['username'], $error); >> >> Output to logfile: >> check_username(user1): called. >> >> >> Is it possible for an attacker to submit a specific string as the >> $username to somehow "escape" out of the error_log() function and have >> code executed instead (like calling phpinfo())? >> >> >> >> thanks, >> Konstantin >> _______________________________________________ >> New York PHP User Group Community Talk Mailing List >> http://lists.nyphp.org/mailman/listinfo/talk >> >> http://www.nyphp.org/show_participation.php > > > _______________________________________________ > New York PHP User Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/show_participation.php > -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ _______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show_participation.php
