PHP include security

Hi,

Code:

=========

ob_start();
switch ($this->command)
{
case 'include':
@include($x);
break;
default:
@readfile($x);
}
$data = ob_get_contents();
ob_end_clean();

=========

The above code snippet is used in a class which would allow developers
(of a specific CMS) to include files without having to put php include
tags on the template view.

The include path will be using the server root path, and the include
files will probably be stored above the web root.

My question:

What would be the best way to "clean" and secure the include string?

Maybe something along these lines (untested):

$invalidChars=array(".","\\","\"",";"); // things to remove.
$include_file = strtok($include_file,'?'); // No need for query string.
$include_file=str_replace($invalidChars,"",$include_file);

What about checking to make sure the include path is root relative,
vs. http://...?

What do ya'll think? Any suggestions?

Many thanks in advance!

Cheers,
Micky

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: PHP include security

--0016e6d78421ec570704846bc7c6
Content-Type: text/plain; charset=UTF-8

On 16 April 2010 06:57, Micky Hulse wrote:

> Hi,
>
> -snip-
>
> The above code snippet is used in a class which would allow developers
> (of a specific CMS) to include files without having to put php include
> tags on the template view.
>
> The include path will be using the server root path, and the include
> files will probably be stored above the web root.
>
> My question:
>
> What would be the best way to "clean" and secure the include string?
>
> Maybe something along these lines (untested):
>
> $invalidChars=array(".","\\","\"",";"); // things to remove.
> $include_file = strtok($include_file,'?'); // No need for query string.
> $include_file=str_replace($invalidChars,"",$include_file);
>
> What about checking to make sure the include path is root relative,
> vs. http://...?
>
> What do ya'll think? Any suggestions?
>
> Many thanks in advance!
>
> Cheers,
> Micky
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Hi,

It depends. What's exactly do you want to prevent? It doesn't seem like a
very big problem if someone tries to include an improper adderss or
nonexistent file, since that would simply make $data an empty string
(depending on your level of error reporting and whether you display or hide
warnings). If the included file decides to call ob_get_clean() or something
like that $data will be false. I can't think of what else you realistically
want to prevent.

Building a page with multiple templates is best done by using a good
template class. Allowing the inclusion of external PHP files from a CMS will
pose a risk if non-developers have access to the CMS as well. You're
basically allowing anyone to add (potentially untested) code to a live site
and I would recommend against doing it. If you want people to be able to
include, say, additional HTML content, use file_get_contents() instead.

Michiel

--0016e6d78421ec570704846bc7c6--

Re: PHP include security

Hi Michiel! Thanks for the help, I really appreciate it. :)

> It depends. What's exactly do you want to prevent? It doesn't seem like a
> ......
> include, say, additional HTML content, use file_get_contents() instead.

Very good points. My goal was to write a plugin that would allow me to
include some static HTML template file and get the
tags out of my CMS template. With that said, I think the only people
using this code will be the developers of the templates, and not your
standard user.

I opted to use output buffering and readfile() for the speed, and
include() would be an option if developers want to execute the code in
the included file.

Would file_get_contents() be faster than readfile and output
buffering? Would using file_get_conents() and eval() be faster than
using include() and output buffering?

Without boring you all to death, I am mostly interested in learning
new stuff! I actually don't think anyone will use this code other than
myself. :D

But I definitely agree with all your points.

Thanks so much for you help!

Have a great day!
Cheers,
Micky

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: PHP include security

> What do ya'll think? Any suggestions?

Sorry for the duplicate posting... I had some problems signing-up for
the list. :(

Also, I moved my test code to sniplr:



TIA!

Cheers
M

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: PHP include security

--0016e6d464cc36d7b90484861ba9
Content-Type: text/plain; charset=UTF-8

On 18 April 2010 02:08, Micky Hulse wrote:

> Hi Michiel! Thanks for the help, I really appreciate it. :)
>
> > It depends. What's exactly do you want to prevent? It doesn't seem like a
> > ......
> > include, say, additional HTML content, use file_get_contents() instead.
>
> Very good points. My goal was to write a plugin that would allow me to
> include some static HTML template file and get the
> tags out of my CMS template. With that said, I think the only people
> using this code will be the developers of the templates, and not your
> standard user.
>
> I opted to use output buffering and readfile() for the speed, and
> include() would be an option if developers want to execute the code in
> the included file.
>
> Would file_get_contents() be faster than readfile and output
> buffering? Would using file_get_conents() and eval() be faster than
> using include() and output buffering?
>

I would prefer to use include() since it runs the code in the same context,
and using both file_get_contents() and eval() is a bit of a detour. eval()
also tends to be a lot slower than included code (though I'm not exactly
sure how slow).

I'm also not entirely sure whether file_get_contents() is slower than
readfile(), but file_get_contents() is useful if you want to do something
with your data rather than printing it right away.

Michiel

--0016e6d464cc36d7b90484861ba9--

Re: PHP include security

On Sun, Apr 18, 2010 at 10:23 AM, Michiel Sikma wrote:
> I would prefer to use include() since it runs the code in the same context,
> ......
> with your data rather than printing it right away.

Thanks for the reply Michiel, I really appreciate it. :)

For some benchmarks on the different types of inclusion
functions/language constructs, this page has some good info:



The results are interesting.

Thanks again! Have an excellent day.

Cheers,
Micky

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: PHP include security

--0016e65b611461b1ec0484940efa
Content-Type: text/plain; charset=UTF-8

On 18 April 2010 21:43, Micky Hulse wrote:

> On Sun, Apr 18, 2010 at 10:23 AM, Michiel Sikma
> wrote:
> > I would prefer to use include() since it runs the code in the same
> context,
> > ......
> > with your data rather than printing it right away.
>
> Thanks for the reply Michiel, I really appreciate it. :)
>
> For some benchmarks on the different types of inclusion
> functions/language constructs, this page has some good info:
>
>
>
> The results are interesting.
>
>
One thing to keep in mind is that this one doesn't take eval() vs regular
include execution time into account, in case you were still considering
using it. According to this page, it's many times slower:
http://blog.joshuaeichorn.com/archives/2005/08/01/using-eval -in-php/

Michiel

--0016e65b611461b1ec0484940efa--

Re: PHP include security

Hi Michiel!

> One thing to keep in mind is that this one doesn't take eval() vs regular
> include execution time into account, in case you were still considering
> using it. According to this page, it's many times

I was still considering it... I mean, I am still exploring all my
options for the sake of the learning/coding experience.

> slower: http://blog.joshuaeichorn.com/archives/2005/08/ 01/using-eval=
-in-php/

Oh! Nice!

[[

The speed of eval
Besides security concerns eval also has the problem of being
incredibly slow. In my testing on PHP 4.3.10 its 10 times slower then
normal code and 28 times slower on PHP 5.1 beta1. This means if you
have to use eval, you should avoid using it inline in any performance
sensitive code. Any easy way to cancel the performance penality is to
create a function in eval and just call that, now an extra function
call does have some performance overhead but its pretty small and
depending on the design can be non-existant since you would be calling
some function anyway.

]]

Interesting. Great read. Thanks for linkage.

[ot] The article also mentions variable functions... I have never used
those before. They look very useful, esp. for a function callback.
Learn something new every day! :) [/ot]

Thanks again for you help Michiel! I really appreciate it. :)

Have a great day!

Cheers,
Micky

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php