• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

PHP include () function question!

S

Superwormy

Golden Member
Is there a way to restrict the PHP include() and require() functions to a certain directory, or deny them access to a certain directory?

For instance, if I give the end-user any amount of control over what file gets included, theres a possibility that they could try to fudge with forms to include a file like:

../../my.cnf or ../../../boot.ini

Which could obviously give away some interesting information about a Windows machine and that MySQL database. Is there a way to not allowed the user to include any file underneath a certain directory level? Or to restrict them to a certain directory for includes or...?

 
No, not as far as I know. What you could to, however, is write superwormy_include($filename) which would essentially be a wrapper to PHP's include. An overly primitive example:

function superwormy_include($filename)
{
// prevent relative paths:
if (stristr($filename, "..")) die("Invalid relative include");
// prevent network includes (HUGE potential risk):
elseif (stristr($filename, "http://") or stristr($filename, "ftp://")) die("Invalid network include");
else {
return include($filename);
}
}

Note that this function is not yet secure, for once, it doesn't protect against absolute paths, and I'm sure there's a lot more. You ought to check for invalid paths, too, both ones containing illegal characters, and ones that simply point to non-existant files. And so on. Really, letting the user include stuff is not a very good idea. 🙂
 
Well, you could at least turn on safe mode.

That way, includes are checked to have the same UID/GID as the exectuing script.

Other than that, there is not much you can do, I am afraid.
 
Hmm ... would that help a whole lot? The users would still be able to access everything the webserver is able to, right? In most cases, that is, in other cases the user would be able to run everything PHP has acess to. No?
 
Originally posted by: Moonbender
Hmm ... would that help a whole lot? The users would still be able to access everything the webserver is able to, right? In most cases, that is, in other cases the user would be able to run everything PHP has acess to. No?
Click to expand...

If you are responding to my post, then yes with the correct permissions the user would be able to access everything the webserver can, which would be not much. Under a chroot the user would not be able to get out of the chroot directory. But there definitely has to be a way to keep this from happening through php, even if its as much of a kludge as filtering out all ../.., %255c(?)'s, etc.
 
well you can write a foo_include() which is a wrapper to include(), but what is stopping people from just using include()? or perhaps (i think i may have heard of this) there is a way to restrict which functions are available..

if you do end up doing it that way, i would think the easier way would be to define a list of acceptable include paths, and restrict everything not matching those, instead of individually filtering out ../ and whatnot.
 
Yeah I think I'll end up making a db table of allowed pages, and go by those. Gues thats the onlyr eally safe way.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top