l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2002 Jun 06 21:01

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] php security (was: another php question)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] php security (was: another php question)

On Thu, Jun 06, 2002 at 02:12:25PM -0700, Tim Riley wrote:
> Matt Roper wrote:
> > With this solution, what keeps people from using something like
> > "../../../etc/shadow" as $arg?  You'd probably need to strip out slashes
> > and ..'s to be safe...
> >
> > Matt
> >
> Good thinking Matt and Jeff. How about
> $file2open = ( substr( $arg[ 1 ], 0, 1 ) == "." )
>                 ? ""
>                 : $APPLICATION_HOME_DIRECTORY . $arg[ 1 ];
> This checks the first character for a dot by using the substring function
> inside
> the ternary operator. If someone tries to penetrate your system, file2open
> will fail.

That's not enough. What about foo/../../../etc/shadow ? 

A real solution, in my mind, is to break up the path using / (or its 
HTML-encoded equivalent, %2f) as a divider, to get a list of directories 
to traverse. Then, traverse directories one by one down the list, and when 
you reach the filename, check to see if you're above 

Alternately, if you don't have files in multiple directories, just check 
the given filename for slashes. If any are found, give an error; else, 
feed them the file. 

Yet another way (I'm on a roll tonight) is to have a table in your 
function, mapping (say)

1 => "/home/me/cars/mustang.dat"
2 => "/home/me/cars/camaro.dat"
... etc. 

Then, just access /path/to/script.php?file=N to get a file displayed, and 
look up N in your table, and display the appropriate file or give an 

> >
> > On Thu, Jun 06, 2002 at 12:20:31PM -0700, Tim Riley wrote:
> > > An easy way around exposing /etc/anything is to do what Apache does with
> > > HTML documents: only reference documents inside a relative directory.
> > >
> > > e.g., $file2open = $APPLICATION_HOME_DIRECTORY . $arg[ 1 ]
> > >

Samuel Merritt
PGP key is at http://wwwcsif.cs.ucdavis.edu/~merritt/snmerritt.asc
Information about PGP can be found at http://www.mindspring.com/~aegreene/pgp/

Attachment: pgp00001.pgp
Description: PGP signature

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.