if allow_url_include is turned off, you don't have to worry much about http,
if '.' is a invalide char, you can't include *.php...
the include path probably should be the inc(whatever the name)
folder(not accessible from web) instead of the web root and '..'
should be disallowed
On Fri, Apr 16, 2010 at 4:09 PM, Micky Hulse <mickyhulse.lists@xxxxxxxxx> wrote:
> Hi,
>
> Code:
>
> =========
>
> ob_start();
> switch ($this->command)
> {
> case 'include':
> @include($x);
> break;
> default:
> @readfile($x);
> }
> $data = ob_get_contents();
> ob_end_clean();
>
> =========
>
> The above code snippet is used in a class which would allow developers
> (of a specific CMS) to include files without having to put php include
> tags on the template view.
>
> The include path will be using the server root path, and the include
> files will probably be stored above the web root.
>
> My question:
>
> What would be the best way to "clean" and secure the include string?
>
> Maybe something along these lines (untested):
>
> $invalidChars=array(".","\\","\"",";"); // things to remove.
> $include_file = strtok($include_file,'?'); // No need for query string.
> $include_file=str_replace($invalidChars,"",$include_file);
>
> What about checking to make sure the include path is root relative,
> vs. http://...?
>
> What do ya'll think? Any suggestions?
>
> Many thanks in advance!
>
> Cheers,
> Micky
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
