[nycphp-talk] Friendly URL's
Mike Brittain
mike at mikebrittain.com
Fri Nov 25 19:33:41 EST 2005
>> Stefan Klopp wrote:
>>Now again this works for my current app, however I
>>very much fear doing a dynamic include. Can anyone
>>think of a better way to handle this?
> Mikko Rantalainen wrote:
> I'd fear the dynamic include also. For example, even the above
> implementation a has possible security issue. If the user sends HTTP
> request "GET /script.php/../file.css" you would end up with
> $extra_path = ".." and $file = "file.css" and you would include
> "../file.css", which I guess wouldn't be always safe.
Make sure that if you use this PATH_INFO approach that you carefully
clean up the "input". I found when doing this recently that a user can
include quite a lot in the URL without the script being aware of
troublesome stuff in the PATH_INFO. For example...
/script.php/../../more/info/
/script.php/var1////var2/
Whether or not either of these might be trouble depends entirely on what
data your script is expecting between the forward slashes that you get
from preg_split. Make sure that the input closely matches what you're
expecting -- if it's supposed to be a numeric database ID, make sure
that the data is ONLY numbers. If it's a filename, make sure that it
cannot be used to traverse your filesystem, etc.
Mike
--
Mike Brittain
ID Society, Inc.
www.idsociety.com
More information about the talk
mailing list