On Fri, Jul 27, 2001 at 06:05:25PM +0100, Julian Hall wrote: > Is anyone really that naive? I, and I'm sure most other PHP uses, would > automatically write: > > <?php > $themefile = "themes/$theme.inc"; > include ($themefile); > ?> > > If I was even remotely thinking about security I would check for the presence > of directory seperator characters in $theme (as it stands obviously the code > would allow the inclusion of any file with the '.inc' suffix). You never > include code from a filename specified directly by the user. That's a primary > rule, and applies to server applications written in any language, not just PHP > and other similar systems. what about checking like this? <?php $themefile = "/your/document/root/" .EReg_Replace('([^a-zA-Z0-9])*','',$theme) .".inc"; if (Is_Readable($themefile)) include ($themefile); else include ("/your/document/root/default.inc"); ?> there is no possibility to browse your directory structure for including files, because only alphanumeric characters are passed and prefix with suffix are defined. check if file is readable for http daemon is better than check only if file exists, because it could not be readable and then error occurs and message including full path to file is printed out: Warning: Failed opening '/your/document/root/test.inc' for inclusion (include_path='') in /your/document/root/theme.php on line 8 you could define more valid characters to pass security filter, fe. _ or - regards, -- -- salo <saloat_private> ASCII Ribbon campaign against /"\ -- -- http://Xtrmntr.org/salo.pgp e-mail in gratuitous HTML and \ / -- -- Microsoft proprietary formats X -- -- / \ --
This archive was generated by hypermail 2b30 : Fri Jul 27 2001 - 11:04:21 PDT