04-01-2010, 02:43 PM
I'm just wondering if there are any security issues to consider when you're creating files from the input of a $_GET variable?
Btw.... I will be appending a ".dat" extension to the filename & won't be putting any data in the file so I assume there isn't problems here right? I'm just wondeing about the possibility of someone putting in a URL or something.
04-01-2010, 03:53 PM
What happens if input includes an executable shebang line followed by processing code? Linux doesn't really care what the file extension is, only what it tells it its allowed to do.
User input is never trustworthy. Depending on how you create the file and how PHP is configured, its possible that a url file can be provided, opened, parsed, and stored as its result. This is a huge danger.
Even with allowing something like an image upload can be a threat. Script files can mascarade as other types, and if you allow this to be published publicly this will allow someone to execute say a .jpeg file as a .sh file if proper checks have not been performed.
First and foremost, always move any user provided files to a sandboxed directory above you're public_html / document root, whatever directory that Apache & PHP can access, but is not a published directory. This will help to limit the problems with executable file uploads. Also, make sure that cmod is run with -x for all types to eliminate executable privileges (open to at most 666, not 777).
04-01-2010, 06:58 PM
Well it's actually a file that a user shouldn't be using.... but I'm asking just in-case a sneaky user stumbles across it & decides to have some fun with it.
So you're saying that even if I am not putting any of the user content IN the file & ONLY in the filename it's still a hazard?
04-01-2010, 07:02 PM
Perhaps I have mistaken the means. I don't believe there is any real security risk from allowing them to name the file so long as it does not include a file path (don't want them overwriting a sys file). Other than that, I don't think that a threat exists; the OS will limit the size and characters allowed in the actual file name itself. If no content is written, I can't think of any way they can get it in there otherwise.
Aside from that, just make sure they are not overwriting a file they shouldn't be allowed to overwrite.