[geeklog-devel] Testing of getimage.php

Dirk Haun dirk at haun-online.de
Wed Jan 7 13:52:33 EST 2004


Tony,

>My only real issue with what I have done is security.  I'm worried that 
>it may be possible to hack the getstring in a way that may allow access 
>to unrestricted files.

Since you're including lib-common.php in the very first line, which then
goes on to include config.php (all with hard-coded paths), it would
overwrite whatever path was passed in the URL. So that shouldn't be a problem.

The only issue would come up if someone doesn't have the
$_CONF['path_images'] defined in their config.php (e.g. because they were
using an old copy). But that would probably be noticed before any hacking
attempts ...


>and I am check for '..' in the image name for someone that 
>may try using relative paths

That certainly can't hurt.


>If you get a chance, give it a try.

Haven't tried it yet, the above were just thoughts after looking at the
source.

bye, Dirk


-- 
http://www.haun-online.de/
http://www.macosx-faq.de/




More information about the geeklog-devel mailing list