Posted By

berkes on 01/03/07


Tagged

php security FileSystem


Versions (?)

Who likes this?

4 people have marked this snippet as a favorite

berkes
basicmagic
vali29
jprice


Writing secure


 / Published in: PHP
 

URL: http://www.php.net/manual/en/security.filesystem.php

(A) Better not to create files or folders with user-supplied names. If you do not validate enough, you can have trouble. Instead create files and folders with randomly generated names like fg3754jk3h and store the username and this file or folder name in a table named, say, user_objects. This will ensure that whatever the user may type, the command going to the shell will contain values from a specific set only and no mischief can be done.

(B) The same applies to commands executed based on an operation that the user chooses. Better not to allow any part of the user's input to go to the command that you will execute. Instead, keep a fixed set of commands and based on what the user has input, and run those only.

For example, (A) Keep a table named, say, userobjects with values like: username|chosenname |actualname|fileordir --------|--------------|-----------|----------- jdoe |trekphotos |m5fg767h67 |D jdoe |notes.txt |nm4b6jh756 |F tim1997 |imp_ folder |45jkh64j56 |D

and always use the actual_name in the filesystem operations rather than the user supplied names.

  1. <?php
  2. $op = $_POST['op'];//after a lot of validations
  3. $dir = $_POST['dirname'];//after a lot of validations or maybe you can use technique (A)
  4. switch($op){
  5. case "cd":
  6. chdir($dir);
  7. break;
  8. case "rd":
  9. rmdir($dir);
  10. break;
  11. .....
  12. default:
  13. mail("[email protected]", "Mischief", $_SERVER['REMOTE_ADDR']." is probably attempting an attack.");
  14. }

Report this snippet  

You need to login to post a comment.