Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder
    Join Date
    Apr 2004
    Posts
    682
    Thanks
    24
    Thanked 1 Time in 1 Post

    fopen security - creating files

    I'm just wondering if there are any security issues to consider when you're creating files from the input of a $_GET variable?

    Btw.... I will be appending a ".dat" extension to the filename & won't be putting any data in the file so I assume there isn't problems here right? I'm just wondeing about the possibility of someone putting in a URL or something.

    Thank You!
    Last edited by cyphix; 04-01-2010 at 03:05 PM.

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,979
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    What happens if input includes an executable shebang line followed by processing code? Linux doesn't really care what the file extension is, only what it tells it its allowed to do.
    User input is never trustworthy. Depending on how you create the file and how PHP is configured, its possible that a url file can be provided, opened, parsed, and stored as its result. This is a huge danger.
    Even with allowing something like an image upload can be a threat. Script files can mascarade as other types, and if you allow this to be published publicly this will allow someone to execute say a .jpeg file as a .sh file if proper checks have not been performed.
    First and foremost, always move any user provided files to a sandboxed directory above you're public_html / document root, whatever directory that Apache & PHP can access, but is not a published directory. This will help to limit the problems with executable file uploads. Also, make sure that cmod is run with -x for all types to eliminate executable privileges (open to at most 666, not 777).
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #3
    Regular Coder
    Join Date
    Apr 2004
    Posts
    682
    Thanks
    24
    Thanked 1 Time in 1 Post
    Well it's actually a file that a user shouldn't be using.... but I'm asking just in-case a sneaky user stumbles across it & decides to have some fun with it.

    So you're saying that even if I am not putting any of the user content IN the file & ONLY in the filename it's still a hazard?

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,979
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    Perhaps I have mistaken the means. I don't believe there is any real security risk from allowing them to name the file so long as it does not include a file path (don't want them overwriting a sys file). Other than that, I don't think that a threat exists; the OS will limit the size and characters allowed in the actual file name itself. If no content is written, I can't think of any way they can get it in there otherwise.
    Aside from that, just make sure they are not overwriting a file they shouldn't be allowed to overwrite.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #5
    Regular Coder
    Join Date
    Apr 2004
    Posts
    682
    Thanks
    24
    Thanked 1 Time in 1 Post
    Excellent - thank you!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •