ansaurus

Question

Answer 1

+5 A:

The weakness in your current implementation is that …

the regular expression just tests the beginning of the string, so “images/../../secret” would pass, and
without further validation, “index” would also be a valid value and would cause a recursion.

To make your implementation safe, it’s a good practice to put everything, that’s intended to be included, in its own directory (e.g. “includes” and “templates”). Based on this, you just have to ensure that there is no way out of this directory.

if (preg_match('/^[a-z0-9]+$/', $_GET['page'])) {
    $page = realpath('includes/'.$_GET['page'].'.php');
    $tpl = realpath('templates/'.$_GET['page'].'.html');
    if ($page && $tpl) {
        include $page;
        include $tpl;
    } else {
        // log error!
    }
} else {
    // log error!
}

Note: realpath returns the absolute path to the given relative path if file exists and false otherwise. So file_exists is not necessary.

Gumbo 2009-02-08 01:37:46

Answer 2

+4 A:

Despite what you stated about not wanting to store a list of available pages in an array it is likely going to be the best, non-db, solution.

$availFiles = array('index.php', 'forum.php');
if(in_array($_GET['page'].".php", $availFiles))
 {
   //Good
 }
else
 {
   //Not Good
 }

You could easily build the array dynamicly with either DB queries or by reading a file, or even reading the contents of a directory and filtering out the things you don't want available.

Unkwntech 2009-02-08 01:48:53

WOW I posted this answer and refreshed and you had posted a comment already.. that was quick.

Unkwntech 2009-02-08 01:50:23

+1; reading directory contents and filtering out things is a good happy-medium

Rob 2009-02-08 02:47:50

Reading directory contents and filtering out things would be a reason I would return your app to you to fix the implementation. If you have 100,000 users are you going to continually read the file permissions? Cache it if your going to be this lazy and generate glue code or something to handle it.

Syntax 2009-02-08 11:18:36

I never said it was a good solution

Unkwntech 2009-02-08 23:05:57

Answer 3

A:

I agree with Unkwntech. This is such an insecure way to include files into your website, I wish PHP programmers would do away with it altogether. Even so, an array with all possible matches is certainly safer. However, You'll find that the MVC pattern works better and it is more secure. I'd download code igniter and take a tutorial or two, you'll love it for the same reason you wanna use dynamic includes.

Bretticus 2009-02-08 02:12:06

Answer 4

+1 A:

You should never use user supplied information for includes. You should always have some sort of request handler that does this for you. While a regular expression may filter somethings it will not filter everything.

If you do not want your site to get hacked you do not allow your users to control the flow of the application by designating an include.

Syntax 2009-02-08 11:15:47

ansaurus

tags:

views:

answers:

Dynamic Include Safety

related questions