security without inconvenience

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Daisy Cutter
Forum Commoner
Posts: 75
Joined: Sun Aug 01, 2004 9:51 am

security without inconvenience

Post by Daisy Cutter »

I have my page set up so that all the URLs are like http://kafene.org/index.php?url=http:// ... g/main.php. Google won't index these, so it's a major pain. Mod_rewrite helps some but the blog archives are stuck like this (blogger's fault).

Is there a way to make it so that scripts can't be embedded and all URLs automatically are executed for kafene.org?

What I'm saying is if I tried to go to http://kafene.org/index.php?url=http:// ... _script.pl it would attempt to go to that file ("http://badsite.net/malicious_script.pl") on my own domain rather than bring in a remote one?

And also so that if someone put in index.php?url=<? it would attempt to go to then file <?.

This way I can get google-compatible PHP URLs (it doesnt mind index.php?url=42, it's the including domains that throws it off)...

Thanks!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

use [php_man]pathinfo[/php_man] or a regular expression to dig the domain name out of the url specified. compare it against your domain.. kill the page if mismatched.

you could also convert the passed location to a local path.. then just make sure to make the include doesn't handle non-local urls..

third option: modify the blogging script to fix this error in judgment.
Daisy Cutter
Forum Commoner
Posts: 75
Joined: Sun Aug 01, 2004 9:51 am

Post by Daisy Cutter »

I am the worlds largest fool.

<?php include("http://kafene.org/$url") ?>

DOH!

I had had:

Code: Select all

<?php
if(!empty($_GET['url'])){
  $var = parse_url($_GET['url']);
  if($var['host'] == 'kafene.org' || $var['host'] == 'www.kafene.org'){
    require "$url";
  } else {
    echo 'you can only include URLs on kafene.org';
  }
}
?>
Post Reply