[geeklog-devel] Testing of getimage.php
Tony Bibbs
tony at tonybibbs.com
Thu Jan 8 09:21:40 EST 2004
Good ideas, I'll put those in. Hey, I'm not sure where the module API
stuff for GL2 is but could you update me where we left off?
--Tony
Vincent Furia wrote:
> Tony,
>
> I'd recommend using the php function "basename()" on the $image
> variable. That way there will be no way to sneek a path in... Also,
> check to see if those $_CONF variables are empty. If not I could see
> that causing some problems in the future. Also, for future reference,
> rather than checking for ".." in a pathname you can use the "realpath()"
> function to resolve "..", ".", and symbolic links to the actual path to
> a file.
>
> Hope this helps.
>
> -Vinny
>
> Dirk Haun wrote:
>
>> Tony,
>>
>>
>>
>>> My only real issue with what I have done is security. I'm worried
>>> that it may be possible to hack the getstring in a way that may allow
>>> access to unrestricted files.
>>>
>>
>>
>> Since you're including lib-common.php in the very first line, which then
>> goes on to include config.php (all with hard-coded paths), it would
>> overwrite whatever path was passed in the URL. So that shouldn't be a
>> problem.
>>
>> The only issue would come up if someone doesn't have the
>> $_CONF['path_images'] defined in their config.php (e.g. because they were
>> using an old copy). But that would probably be noticed before any hacking
>> attempts ...
>>
>>
>>
>>
>>> and I am check for '..' in the image name for someone that may try
>>> using relative paths
>>>
>>
>>
>> That certainly can't hurt.
>>
>>
>>
>>
>>> If you get a chance, give it a try.
>>>
>>
>>
>> Haven't tried it yet, the above were just thoughts after looking at the
>> source.
>>
>> bye, Dirk
>>
>>
>>
>>
>
>
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
> http://lists.geeklog.net/listinfo/geeklog-devel
More information about the geeklog-devel
mailing list