Asked  2 Years ago    Answers:  5   Viewed   340 times

Greetings, I'm hoping to make my tiny program secure so that potential malicious users cannot view sensitive files on the server.

    $path = "/home/gsmcms/public_html/central/app/webroot/{$_GET['file']}";


    if(file_exists($path)) {
        echo file_get_contents($path);
    } else {
        header('HTTP/1.1 404 Not Found');
    }

Off the top of my head I know that input such as '../../../../../../etc/passwd' would be trouble, but wondering what other malcious inputs I should expect and how to prevent them.

 Answers

2

realpath() will let you convert any path that may contain relative information into an absolute path...you can then ensure that path is under a certain subdirectory that you want to allow downloads from.

Saturday, October 15, 2022
2

safe2() is clearly htmlspecialchars()

In place of safe1() you should really be using HTMLPurifier to sanitize complete blobs of HTML. It strips unwanted attributes, tags and in particular anything javascriptish. Yes, it's slow, but it covers all the small edge cases (even for older IE versions) which allow for safe HTML user snippet reuse. But check out http://htmlpurifier.org/comparison for alternatives. -- If you really only want to display raw user text there (no filtered html), then htmlspecialchars(strip_tags($src)) would actually work fine.

safe3() screams regular expression. Here you can really only apply a whitelist to whatever you actually want:

var a = "<?php echo preg_replace('/[^-wd .,]/', "", $xss)?>";

You can of course use json_encode here to get a perfectly valid JS syntax and variable. But then you've just delayed the exploitability of that string into your JS code, where you then have to babysit it.


Is it also safe in all browsers (specifically IE6)?

If you specify the charset explicitly, then IE won't do its awful content detection magic, so UTF7 exploits can be ignored.

Friday, August 12, 2022
 
5

Here are three possible solutions. The second are really just work-arounds that use absolute paths in a clever way.

1: chdir into the correct directory

<?php

// check if the 'StoredProcedure' folder exists in the current directory
// while it doesn't exist in the current directory, move current 
// directory up one level.
//
// This while loop will keep moving up the directory tree until the
// current directory contains the 'StoredProcedure' folder.
//
while (! file_exists('StoredProcedure') )
    chdir('..');

include_once "StoredProcedure/connect.php";
// ...
?>

Note that this will only work if your StoredProcedure folder is in the topmost directory of any files that might need to include the files it contains.

2: Use absolute paths

Now before you say this is not portable, it actually depends on how you implement it. Here's an example that works with Apache:

<?php
include_once $_SERVER['DOCUMENT_ROOT'] . "/StoredProcedure/connect.php";
// ...
?>

Alternatively, again with apache, put the following in your .htaccess in the root directory:

php_value auto_prepend_file /path/to/example.php

Then in example.php:

<?php

define('MY_DOC_ROOT', '/path/to/docroot');

?>

And finally in your files:

<?php
include_once MY_DOC_ROOT . "/StoredProcedure/connect.php";
// ...
?>

3: Set PHP's include_path

See the manual entry for the include_path directive. If you don't have access to php.ini, then this can be set in .htaccess, providing you are using Apache and PHP is not installed as CGI, like so:

php_value include_path '/path/to/my/includes/folder:/path/to/another/includes/folder'
Thursday, August 18, 2022
 
1

file_exists does nothing more than say whether a file exists (and the script is allowed to know it exists), resolving the path relative to the cwd. It does not care about the include path.

Tuesday, November 1, 2022
4

I think PHP itself will check the regex. Here's a sample script I made :

// check for input, and set max size of input
if(@!empty($_POST['regex'])
    && @!empty($_POST['text'])
    && strlen($_POST['regex'])<1000
    && strlen($_POST['text'])<2000
    ){
    // set script timeout in case something goes wrong (SAFE MODE must be OFF)
    $old_time=ini_get('max_execution_time');
    if(!set_time_limit(1)) die('SAFE MODE MUST BE OFF'); // 1 sec is more then enough

    // trim input, it's up to you to do more checks
    $regex=trim($_POST['regex']);
    // don't trim the text, it can be needed
    $input=$_POST['text'];
    // escape slashes
    $regex=preg_replace('/([\/]+)?//', '/', $regex);

    // go for the regex
    if([email protected]_match('/'.$regex.'/', $input, $matches)){
            // regex was tested, show results
            echo 'Matches: '.$matched.'<br />';
            if($matched>0){
                    echo 'matches: <br />';
                    foreach($matches as $i =>  $match){
                            echo $i.' = '.$match.'<br />';
                }
            }
    }
    // set back original execution time
    set_time_limit($old_time);
}

Anyways, NEVER EVER use eval() with user submitted strings.

Additionally, you can do some simple minimalistic sanitizing, but that's up to you. ;)

Tuesday, October 18, 2022
 
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
 

Browse Other Code Languages