1
The use of the function dirname(__FILE__)
or the magic constant __DIR__
is appropriately safe to prevent a local file inclusion or a remote file inclusion in a require()
receiving parameters per GET?
There is a solution to this problem?
1
The use of the function dirname(__FILE__)
or the magic constant __DIR__
is appropriately safe to prevent a local file inclusion or a remote file inclusion in a require()
receiving parameters per GET?
There is a solution to this problem?
1
Setting the absolute path to directories avoids accessing other folders?
No. Because if the "attacker" puts ../
, knowing the file path, it may access an unwanted directory in any way.
That is, for the following structure below:
app/
database.php
web/
index.php
pages/
home.php
contact.php
If the web/index.php
is the "root" of your application, but the malicious user put the ?page=../app/database.php
, he would theoretically be doing with what PHP does include
normally.
For you to understand. All this below results in the same operation
include 'app/database.php';
include __DIR__ . '/app/database.php'
#supondo que estamos na pasta 'web'
include __DIR__ . '../app/database.php';
Note that providing an absolute name for the root directory of a particular directory or file does not prevent other files (outside of it) from being accessed.
In this case, I find it very appropriate that, for loading pages through get
, perform functions with specific treatments.
Example:
function page_include($page)
{
if (strpos($page, '..') !== false) {
throw new Exception("Caractere inválido detectado");
}
include WEB_DIRECTORY . '/pages/' . $page;
}
Maybe this is something basic. You could include other checks, avoiding attacks.
Remote file inclusion (remote file inclusion)
allow_url_include
is a configuration that allows you to use the include
in urls (which I don’t think is good at all). On this I recommend that you disable the configuration allow_url_include
, because in that case, allowing such a configuration is to give your hands-kissed application in the hand of malicious people.
PHP Injection
It is another common problem involving files or folders in PHP. Read about it here: What is PHP Injection? What is its difference to SQL Injection? And how to avoid it?
And in case the user informed file:///etc/passwd
for example, there would not be two points to be caught in the "filter", but would that also work? I saw in an example of the book Pro PHP Security and it confused me.
@Renancavalieri have to take a look at the php Wrappers. Just a minute..
@Renancavalieri with file:///
can also put the ../
Yes, I say regarding your solution of putting an IF to bar the two points, in the case of the example I took from the book the string does not have the two points, so would not enter the IF.
Browser other questions tagged php
You are not signed in. Login or sign up in order to post.
Put, I started responding, but now that I’ve seen this "transversal directory" ...
– Wallace Maxters
It would be in case the user modifies the URL to put a " .. /.. /.. /.txt file" to get files that are not in the specified folder, but in above directories or even in remote directories.
– Renan Cavalieri