Adrian Ciutureanu pressed the little lettered thingies in this order...
> $allowed_path = '/www/sites/mysite/teaching';
> $file = realpath($file);
> if(ereg("^$allowed_path", $file)) {
> // it's OK
> } else {
> // possible attack!
> }
>
This is not good code.
A user could replace the $file in the URL with this:
/www/sites/mysite/teaching/../../../../etc/passwd
Since it starts with $allowed_path, your code has just been fooled.
The basic problem that I have seen with posts to this thread is the fact
that many people do not understand how Unix servers address and/or
secure files. If what I have written above doesn't make any sense,
please go and pick up a book that covers Unix/Linux security. If you
don't, you are inviting a security breach. You may or may not be aware
of this, but many hackers know Unix, it's security and it's common
vulnerabilities VERY well and they WILL exploit your code if it is
exploitable.
Simply checking to see if a particular path exists in the URL will
NEVER secure this issue.
Here's the script that I use:
<?
require("common.php");
$f = ereg_replace("/","",$f);
commonHeader("$f Source Code");
?>
<table border="1" cellpadding="3" cellspacing="0" bgcolor="#FFFFFF">
<tr><td>
<?
show_source("./calendar/$f");
?>
</td></tr>
</table>
<?
commonFooter();
?>
I explicitly declare the path and I delete all forward slashes. This means
that if someone tries to send:
$f=calendar/../../../.../../../../etc/passwd
They instead send:
$f=calendar...............etcpasswd
And the server interprets this as:
./calendar/calendar...............etcpasswd
The bottom line is that no files outside of the intended directory will ever
be viewable through this script, regardless of how clever, smart or
devious the user might be.
I could have gotten a little more fancy and given warnings if there were
forward slashes, but the point is this: If you are allowing real file names
to be passed as the parameter, you HAVE to do one of two things:
1) Strip or otherwise block forward slashes and/or consecutive periods.
2) Declare the file path before the show_source() call and disallow
consecutive periods (".."), forward slashes or both. This is the method
used at slashdot.
Christopher Ostmo
a.k.a. [EMAIL PROTECTED]
AppIdeas.com
Innovative Application Ideas
Meeting cutting edge dynamic
web site needs since the
dawn of Internet time (1995)
For a good time,
http://www.AppIdeas.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
