Include security?

Hi,

Code:

=========

ob_start();
switch ($this->command)
{
case 'include':
@include($x);
break;
default:
@readfile($x);
}
$data = ob_get_contents();
ob_end_clean();

=========

The above code snippet is used in a class which would allow developers
(of a specific CMS) to include files without having to put php include
tags on the template view.

The include path will be using the server root path, and the include
files will probably be stored above the web root.

My question:

What would be the best way to "clean" and secure the include string?

Maybe something along these lines (untested):

$invalidChars=array(".","\\","\"",";"); // things to remove.
$include_file = strtok($include_file,'?'); // No need for query string.
$include_file=str_replace($invalidChars,"",$include_file);

What about checking to make sure the include path is root relative,
vs. http://...?

What do ya'll think? Any suggestions?

Many thanks in advance!

Cheers,
Micky

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Include security?

if allow_url_include is turned off, you don't have to worry much about http=
,
if '.' is a invalide char, you can't include *.php...
the include path probably should be the inc(whatever the name)
folder(not accessible from web) instead of the web root and '..'
should be disallowed

On Fri, Apr 16, 2010 at 4:09 PM, Micky Hulse w=
rote:
> Hi,
>
> Code:
>
> =========3D
>
> ob_start();
> switch ($this->command)
> {
> =A0 =A0 =A0 case 'include':
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 @include($x);
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 break;
> =A0 =A0 =A0 default:
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 @readfile($x);
> }
> $data =3D ob_get_contents();
> ob_end_clean();
>
> =========3D
>
> The above code snippet is used in a class which would allow developers
> (of a specific CMS) to include files without having to put php include
> tags on the template view.
>
> The include path will be using the server root path, and the include
> files will probably be stored above the web root.
>
> My question:
>
> What would be the best way to "clean" and secure the include string?
>
> Maybe something along these lines (untested):
>
> $invalidChars=3Darray(".","\\","\"",";"); // things to remove.
> $include_file =3D strtok($include_file,'?'); // No need for query string.
> $include_file=3Dstr_replace($invalidChars,"",$include_file);
>
> What about checking to make sure the include path is root relative,
> vs. http://...?
>
> What do ya'll think? Any suggestions?
>
> Many thanks in advance!
>
> Cheers,
> Micky
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Include security?

> if allow_url_include is turned off, you don't have to worry much about http,
> if '.' is a invalide char, you can't include *.php...
> the include path probably should be the inc(whatever the name)
> folder(not accessible from web) instead of the web root and '..'
> should be disallowed

Hi Ryan! Many thanks for your help, I really appreciate it. :)

How does this look:



How could my code be improved?

Thanks again for the help, I really appreciate it. :)

Cheers,
Micky

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php