[geeklog-devel] Testing of getimage.php

Tony Bibbs tony at tonybibbs.com
Thu Jan 8 09:21:40 EST 2004


Good ideas, I'll put those in.  Hey, I'm not sure where the module API 
stuff for GL2 is but could you update me where we left off?

--Tony

Vincent Furia wrote:
> Tony,
> 
> I'd recommend using the php function "basename()" on the $image 
> variable.  That way there will be no way to sneek a path in...  Also, 
> check to see if those $_CONF variables are empty. If not I could see 
> that causing some problems in the future.  Also, for future reference, 
> rather than checking for ".." in a pathname you can use the "realpath()" 
> function to resolve "..", ".", and symbolic links to the actual path to 
> a file.
> 
> Hope this helps.
> 
> -Vinny
> 
> Dirk Haun wrote:
> 
>> Tony,
>>
>>  
>>
>>> My only real issue with what I have done is security.  I'm worried 
>>> that it may be possible to hack the getstring in a way that may allow 
>>> access to unrestricted files.
>>>   
>>
>>
>> Since you're including lib-common.php in the very first line, which then
>> goes on to include config.php (all with hard-coded paths), it would
>> overwrite whatever path was passed in the URL. So that shouldn't be a 
>> problem.
>>
>> The only issue would come up if someone doesn't have the
>> $_CONF['path_images'] defined in their config.php (e.g. because they were
>> using an old copy). But that would probably be noticed before any hacking
>> attempts ...
>>
>>
>>  
>>
>>> and I am check for '..' in the image name for someone that may try 
>>> using relative paths
>>>   
>>
>>
>> That certainly can't hurt.
>>
>>
>>  
>>
>>> If you get a chance, give it a try.
>>>   
>>
>>
>> Haven't tried it yet, the above were just thoughts after looking at the
>> source.
>>
>> bye, Dirk
>>
>>
>>  
>>
> 
> 
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
> http://lists.geeklog.net/listinfo/geeklog-devel




More information about the geeklog-devel mailing list