|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 233 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
Sanitize Path for PHP-Nuke |
|
// Sanitize Path code from "Beginning PHP 4", ISBN: 1-861003-73-0
// Provided by http://nukecops.com - IACOJ
// Code prevents directory traversal, and is best placed in the mainfile.php.
// USAGE: $SanitizePath("../../../../config.php");
// Returns "config.php" without the path traversal. Simply pass it to a unset variable.
function SanitizePath($inpath) {
$outpath = ereg_replace("\.[\.]+", "", $inpath);
$outpath = ereg_replace("^[\/]+", "", $outpath);
$outpath = ereg_replace)"^[A-Za-z][:\|][\/]?", "", $outpath);
return($outpath);
}
This is a code snippet from the "Beginning PHP 4", ISBN: 1-861003-73-0. This was located by IACOJ and its something we need to start integrating into the mainfile.php. I'll be passing this or something similar to Francisco. Once this code, or similar is implemented, developers may start using it in blocks, modules, addons, etc which would help to prevent directory path traversal.
|
|
Posted on Friday, October 31 @ 12:38:46 CET by Zhen-Xjell |
|
|
|
|
| |
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Sanitize Path for PHP-Nuke (Score: 1)
by RedGerry on Friday, October 31 @ 15:14:34 CET
(User Info | Send a Message) http://redgerry.com | | Well one thing it is doing is making the Nuke homepage ridiculously wide... |
]
Re: Sanitize Path for PHP-Nuke (Score: 1)
by checksum on Friday, October 31 @ 15:35:52 CET
(User Info | Send a Message) | | lol |
]
]
| | | | |
Re: Sanitize Path for PHP-Nuke (Score: 1)
by VinDSL on Friday, October 31 @ 20:24:50 CET
(User Info | Send a Message) http://www.lenon.com/ | Hrm... Interesting... Backslash expressions don't look right though. I assume this is for useage on Windows machines. How about this instead?
function SanitizePath($inpath)
{
$outpath = ereg_replace(".[.]+", "", $inpath);
$outpath = ereg_replace("^[\ /]+", "", $outpath);
$outpath = ereg_replace("^[A-Za-z][:|][\ /]?", "", $outpath);
return($outpath);
} |
Re: Sanitize Path for PHP-Nuke (Score: 1)
by VinDSL on Friday, October 31 @ 20:29:42 CET
(User Info | Send a Message) http://www.lenon.com/ | Hrm... That's even more interesting... The backspace expression disappears when you post the message here. Okay, let's try it this way
[ /] should be [\ /] no?
Okay, let's try it again...
|
]
Re: Sanitize Path for PHP-Nuke (Score: 1)
by VinDSL on Friday, October 31 @ 20:32:26 CET
(User Info | Send a Message) http://www.lenon.com/ | Hahahaha... It happened again! The first backslash keeps disappearing.
Okay, let's try try this:
[\ /] should be [\ /] |
]
Re: Sanitize Path for PHP-Nuke (Score: 1)
by VinDSL on Friday, October 31 @ 20:34:02 CET
(User Info | Send a Message) http://www.lenon.com/ | OMG! This isn't working at all. Forget it... :(
I guess that's why your code looks screwy too! |
]
Re: Sanitize Path for PHP-Nuke (Score: 1)
by VinDSL on Friday, October 31 @ 20:37:29 CET
(User Info | Send a Message) http://www.lenon.com/ | Test:
1 backslash [ /]
2 backslashes [\ /]
3 backslashes [\ /]
4 backslashes [\\ /]
5 backslashes [\\ /] |
]
| | | | |
Re: Sanitize Path for PHP-Nuke (Score: 1)
by VinDSL on Saturday, November 01 @ 00:43:25 CET
(User Info | Send a Message) http://www.lenon.com/ | | It removes potentially dangerous substrings from within a file path, to prevent a user from attempting to open a file or directory that's beneath the relative root of the executing script. |
]
Re: Sanitize Path for PHP-Nuke (Score: 1)
by chris-au on Sunday, November 02 @ 02:51:54 CET
(User Info | Send a Message) http://sengers-au.com | I do (and did) understand that.
However, there could be (and in my case) instances of having a script call a folder/file, what you call beneath, the relative root.
I have many modules that are accessed by more than one site and they are beneath the root of all of theme.
Coding that bit of script, day in mainfile.php, would stop all that in it's track. |
]
Re: Sanitize Path for PHP-Nuke (Score: 1)
by Jeruvy on Sunday, November 02 @ 10:21:13 CET
(User Info | Send a Message) | If I may...it's trying to remove strings that look like directory traversals and pass simply a name as the example states. However I'm looking at that code and thinking....that isn't going to work.
Unfortunately I believe the solution is to understand what 'looks' like a proper request, and what 'isn't', and allow the 'looks' good to pass the sanitizer without being scrubbed. OF course this brings problems too...as someone could try to craft a tag that looks good and isn't, but if a clear standard for tags could be established it could reduce the potential for damage considerably.
|
]
| | | | | |
