|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2004-10-20 09:50 UTC] guth at fiifo dot u-psud dot fr
Description:
------------
hello,
includes (include, require, etc.) are not binary safe.
It is very dangerous for beginners, who often use includes with parameters.
In the following example, i kwow that you can test the file name with pathinfo() but the current PHP behaviour is incorrect.
Reproduce code:
---------------
<?php
$file = $_GET['file'];
$path = $_SERVER['DOCUMENT_ROOT']."/includes/".$file.".class.php";
if(is_file($path)) {
include $path;
}
?>
Expected result:
----------------
index.php?file=Forum
Should work.
I suppose that the directory backups/Database.xml is protected by a .htaccess and is not accessible with your browser.
index.php?file=../backups/Dabatase.xml%00
Should not work.
Actual result:
--------------
index.php?file=Forum
Should work.
index.php?file=../backups/Dabatase.xml%00
Works !
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Wed Sep 18 21:01:26 2024 UTC |
I know it is up to the PHP programmer to take care of. But you know perfectly well that you can't trust PHP programmers. Most of them don't know about this sort of security problems and it should be at least documented in the security part of the documentation. Some providers (ie : free.fr) disallow \0 in includes. Is it possible to add a configuration directive in the php.ini file to disally null characters ? Additionaly, I asked for file : /www/includes/../backups/Database.xml\0.class.php Not file : /www/backups/Database.xml Last thing, I can't test files with pathinfo(), because of this function returns for "test.xml\0" : array(2) { ["dirname"]=> string(5) "../.." ["basename"]=> string(10) "test.xml\0" } So there is a problem if the files are in the same directory as PHP files...