Re: case insensitive file system

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Ruslan Sivak wrote on Wed, 30 Apr 2008 10:29:25 -0400:

> And inside index.php it does something like
> 
> <? include($_GET['page'].".php") ?>
> 
> This is a gross simplification, but it's my understanding that if the 
> file was named 'foo.php' and someone typed in
> 
> http://www.domain.com/index.php?action=Foo

did you mean page=Foo ?

I hope that was really just an example. If you take that input unchecked 
and include other files with it your security is non-existant.

> 
> It would still work on windows, but not on linux because of case 
> sensitivity.

Simple: downcase all variable input that you need for further processing.

If it's not external input, but your application simply does not 
differentiate between cases and sometimes includes "Somepage.php" and 
sometimes" somepage.php" that is really bad programming and it's also 
easily solved by a find/replace. Nothing big.


Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux