Filenames
It’s fairly easy to
construct a filename that refers to something other than what you
intended. For example, say you have a
$username
variable that contains the name the user
wants to be called, which the user has specified through a form
field. Now let’s say you want to store a welcome
message for each user in the directory
/usr/local/lib/greetings
, so that you can output
the message any time the user logs into your application. The code to
print the current user’s greeting is:
<?php include("/usr/local/lib/greetings/$username") ?>
This seems harmless enough, but
what if the user chose the username
"../../../../etc/passwd"
? The code to include the
greeting now includes /etc/passwd
instead.
Relative paths are a common trick used by hackers against
unsuspecting scripts.
Another trap for the unwary programmer lies in the way that, by
default, PHP can open remote files with the same functions that
open local files. The fopen( )
function and anything that uses it (e.g.,
include( )
and require( )
) can
be passed an HTTP or FTP
URL as a
filename, and the document identified by the URL will be opened.
Here’s some exploitable code:
<?php chdir("/usr/local/lib/greetings"); $fp = fopen($username, "r"); ?>
If $username
is set to
"http://www.example.com/myfile"
, a remote file is
opened, not a local one.
The situation is even more dire if you let the user tell you which
file to include( )
:
<?php $file = $_REQUEST['theme']; include($file); ?>
If the user passes a theme
parameter of ...
Get Programming PHP now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.