NYCPHP Meetup

NYPHP.org

[nycphp-talk] Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?

Brian Williams brianw1975 at gmail.com
Tue Apr 7 23:58:07 EDT 2009 

On Tue, Apr 7, 2009 at 10:34 PM, Konstantin Rozinov <krozinov at gmail.com>wrote:

> On Mon, Apr 6, 2009 at 12:47 AM, Brian Williams <brianw1975 at gmail.com>
> wrote:
> >
> > if his code had read:
> >
> > error_log(__FUNCTION__ . "($username): called.", 3, $log_file);
> >
> > I wouldn't have made any comment at all.
> >
> > If the backticked code were not in double quotes it would be executed and
> > the resulting output of the backticked code would be recorded to the log.
> >
>
> Brian,
>
> This is not true.  I tested what was discussed in this thread and here
> are the results.
>
> (1)
> If an attacker submits the following as the $username: `touch /tmp/fooooo`
> This will be outputted to the logfile: check_username(`touch
> /tmp/fooooo`): called.
> The attacker's input is not executed.  It is treated as a string.
>
> (2)
> If an attacker submits the following as the $username: <?php `touch
> /tmp/fooooo` ?>
> This will be outputted to the logfile: check_username(<?php `touch
> /tmp/fooooo` ?>): called.
> The attacker's input is not executed.  It is treated as a string.
>
> Only if I process the logfile with php -f <logfile> will the code in
> (2) actually execute.
> The code in (1) won't even run since it's outside the <?php ?> tags,
> but that's a minor point.
>
> Paul raises a good question about log processing software that might
> interpret and run the code....it seems that's where the real problem
> lies.
>
> Konstantin Rozinov



Ok, after bad examples, and all the hulabaloo, and being proven wrong about
said bad examples... what I say still stands:

Always check the data the user sent you - just check it in such a way that
is appropriate for your situation.

If you don't believe in that then stop checking the data any user enters on
any of your forms, and don't worry about XSS or SQL injections because
that's basically what Michael is saying, only escape user data before
inserting into the database.

I guess that would make form processing easier.

Insanity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20090407/367903ae/attachment.html>

More information about the talk mailing list