RE: file_exists

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> >> Something like the following would be much better (untested)...
> >>
> >> $page = realpath(dirname(__FILE__).'/inc/'.$_GET['page'].'.php');
> >> $expecteddir = realpath(dirname(__FILE__).'/inc');
> >> if (substr($page, 0, strlen($expecteddir)) != $expecteddir)
> >> {
> >>      // Ideally return a 403 status here
> >>      die('Access denied');
> >> }
> >> // Now we know it's a file in the right directory
> >> if (file_exists($page))
> >> {
> >>      include($page);
> >> }
> >> else
> >> {
> >>      // Return a 404 status here
> >>      die('Resource not found');
> >> }
> >>
> >> That should lock the requested page to the given directory. If anyone 
> >> can see any way around that I'd be interested in hearing about it.
> >>
> >> -Stut
> >>
> >> -- 
> >> http://stut.net/
> > 
> > Good points about (.php, evil-payload, and evil-payload.php?).
> > 
> > Although I'll defer to a security expert, your modification looks good to not include a remote site's code.
> > But on a shared host, what about this?:
> > index.php?page=../../../../../../../../../../../../home/evil-user-home-dir/evil-payload.php
> > 
> > If that gives something like:
> > $expecteddir === "/home/stut/phpstuff/inc/../../../../../../../../../../../../home/evil-user-home-dir/evil-payload.php"
> > maybe it will include "/home/evil-user-home-dir/evil-payload.php"
> > 

> 
> No, you've missed the point. $expecteddir is a fixed variable that you, 
> the script author, specify. It does not contain anything coming from 
> external veriables. You then compare the full path you build from the 
> external variables to $expecteddir to verify that the file is in the 
> right directory.
> 
> I suggest you read the code I posted again.
> 
> -Stut

I meant if $page evaluates to "/home/stut/phpstuff/inc/../../../../../../../../../../../../home/evil-user-home-dir/evil-payload.php"
which it does not.

However I don't think your if (substr($page, 0, strlen($expecteddir)) != $expecteddir)
ever evaluates to TRUE.  So you'll never get Access denied.

So how you set $page saved your ass.  Good job.

_________________________________________________________________
Help yourself to FREE treats served up daily at the Messenger Café. Stop by today.
http://www.cafemessenger.com/info/info_sweetstuff2.html?ocid=TXT_TAGLM_OctWLtagline
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux