NYCPHP Meetup

[Mike Brittain]

>> Stefan Klopp wrote:
>>Now again this works for my current app, however I
>>very much fear doing a dynamic include. Can anyone
>>think of a better way to handle this?

> Mikko Rantalainen wrote:
> I'd fear the dynamic include also. For example, even the above 
> implementation a has possible security issue. If the user sends HTTP 
> request "GET /script.php/../file.css" you would end up with 
> $extra_path = ".." and $file = "file.css" and you would include 
> "../file.css", which I guess wouldn't be always safe.

Make sure that if you use this PATH_INFO approach that you carefully 
clean up the "input".  I found when doing this recently that a user can 
include quite a lot in the URL without the script being aware of 
troublesome stuff in the PATH_INFO.  For example...

/script.php/../../more/info/
/script.php/var1////var2/

Whether or not either of these might be trouble depends entirely on what 
data your script is expecting between the forward slashes that you get 
from preg_split.  Make sure that the input closely matches what you're 
expecting -- if it's supposed to be a numeric database ID, make sure 
that the data is ONLY numbers.  If it's a filename, make sure that it 
cannot be used to traverse your filesystem, etc.

Mike

-- 
Mike Brittain
ID Society, Inc.
www.idsociety.com