Include security?
in [General]
|
From: Micky Hulse on 16 Apr 2010 16:09 Hi, Code: ========= ob_start(); switch ($this->command) { case 'include': @include($x); break; default: @readfile($x); } $data = ob_get_contents(); ob_end_clean(); ========= The above code snippet is used in a class which would allow developers (of a specific CMS) to include files without having to put php include tags on the template view. The include path will be using the server root path, and the include files will probably be stored above the web root. My question: What would be the best way to "clean" and secure the include string? Maybe something along these lines (untested): $invalidChars=array(".","\\","\"",";"); // things to remove. $include_file = strtok($include_file,'?'); // No need for query string. $include_file=str_replace($invalidChars,"",$include_file); What about checking to make sure the include path is root relative, vs. http://...? What do ya'll think? Any suggestions? Many thanks in advance! Cheers, Micky
From: Ryan Sun on 16 Apr 2010 17:59 if allow_url_include is turned off, you don't have to worry much about http, if '.' is a invalide char, you can't include *.php... the include path probably should be the inc(whatever the name) folder(not accessible from web) instead of the web root and '..' should be disallowed On Fri, Apr 16, 2010 at 4:09 PM, Micky Hulse <mickyhulse.lists(a)gmail.com> wrote: > Hi, > > Code: > > ========= > > ob_start(); > switch ($this->command) > { > case 'include': > @include($x); > break; > default: > @readfile($x); > } > $data = ob_get_contents(); > ob_end_clean(); > > ========= > > The above code snippet is used in a class which would allow developers > (of a specific CMS) to include files without having to put php include > tags on the template view. > > The include path will be using the server root path, and the include > files will probably be stored above the web root. > > My question: > > What would be the best way to "clean" and secure the include string? > > Maybe something along these lines (untested): > > $invalidChars=array(".","\\","\"",";"); // things to remove. > $include_file = strtok($include_file,'?'); // No need for query string. > $include_file=str_replace($invalidChars,"",$include_file); > > What about checking to make sure the include path is root relative, > vs. http://...? > > What do ya'll think? Any suggestions? > > Many thanks in advance! > > Cheers, > Micky > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
From: Micky Hulse on 17 Apr 2010 00:55 > if allow_url_include is turned off, you don't have to worry much about http, > if '.' is a invalide char, you can't include *.php... > the include path probably should be the inc(whatever the name) > folder(not accessible from web) instead of the web root and '..' > should be disallowed Hi Ryan! Many thanks for your help, I really appreciate it. :) How does this look: <http://sandbox.hulse.me/secure_inc_str.txt> How could my code be improved? Thanks again for the help, I really appreciate it. :) Cheers, Micky
|
Pages: 1 Prev: Getting file pointer from file descriptor Next: PHP include security |