tedd wrote:
At 11:06 PM +0000 11/15/07, Stut wrote:
The realpath function will reduce your definition of $page to
"/home/evil-user-home-dir/evil-payload.php"
$expecteddir is set to "/home/stut/phpstuff/inc"
The if takes the first strlen($expecteddir) characters of the reduced
$page and compares it to $expecteddir.
If they don't match then if means the requested file is outside your
"safe" directory, hence access denied. If they do match then it's safe
to include the file.
-Stut
-Stut:
What about this?
<?php
$origwd=getcwd();
while(!file_exists('common'))
{
$prevwd=getcwd();
If (basename($prevwd) == "httpdocs")
{
echo('not found<br/>');
exit;
}
chdir('..');
}
include('common/includes/header.php');
chdir($origwd);
?>
I have a common set of includes that most of my test scripts find and
use. Unless I'm not understanding the problem here, this looks like
something this might work. It simply looks for the files it needs in an
approved path. I don't see any way to circumvent this, do you?
Since nothing in there comes from external variables it should be pretty
safe, but this is not what the OP was doing.
It also worth noting that what you're doing there is quite inefficient.
I have a similar arrangement where I have a directory containing the
include files, but I locate it in a different way. Most sites I deal
with have an auto-prepended file containing (among other things) this
line...
ini_set('include_path',
dirname(__FILE__).'/../code'.PATH_SEPARATOR.ini_get('include_path'));
This adds the code subdirectory (relative to the location of the
prepended file) to the include page. I then don't need to worry about
where I am when I want to include a file.
When a site goes into production I remove this line and set it in the
virtualhost definition since there's no reason to re-calculate it on
every request.
-Stut
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
