PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Feb 23, 2020 3:33 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 9 posts ] 
Author Message
PostPosted: Tue Oct 11, 2011 6:04 pm 
Offline
Forum Contributor

Joined: Tue Feb 16, 2010 6:39 pm
Posts: 254


Top
 Profile  
 
PostPosted: Fri Oct 21, 2011 3:34 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
For a start, show us the unsuccessful attempt at CSS, not just the working one for JS :)

Should look like this:
<link rel="stylesheet" type="text/css" href="..." />

Also, you must be aware that unless you do some checks in getQueryVar (and you shouldn't, it's not the right place for it) your script will gladly serve any file the PHP user has access to


Top
 Profile  
 
PostPosted: Fri Oct 21, 2011 8:44 am 
Offline
Forum Contributor

Joined: Tue Feb 16, 2010 6:39 pm
Posts: 254
I ended up figuring it out, just forgot to post here. For anyone who is interested, you have to put "content-type:text/CSS" as well as "charset=UTF8" in your header. I was neglecting the charset and thus the browsers weren't recognizing the files as CSS.

And yeah, this is just meant to serve files that everyone would have access to anyway. Instead of keeping them on each client's public HTML folder, I'm avoiding duplicates and making it easier for me to make changes by just serving the files from a single non-web-accessible folder on the server. The only things in that folder are client-side loading files like JavaScript and CSS.


Top
 Profile  
 
PostPosted: Fri Oct 21, 2011 8:57 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
No. I mean *every* file. The one with your database password, your code, the .htpasswd, everything. Try it with &file=../index.php or whatever


Top
 Profile  
 
PostPosted: Fri Oct 21, 2011 9:28 am 
Offline
Forum Contributor

Joined: Tue Feb 16, 2010 6:39 pm
Posts: 254
My view class automatically adds "includes/" to the front of the value of the file variable, so unless I'm really confused somewhere, they can only access files in the includes folder, which are files they'd be able to see anyway. Like, saying "file=index.php" would take them to /includes/index.php. If there are no sensitive files in that folder, then I shouldn't have to worry about that, right?


Top
 Profile  
 
PostPosted: Fri Oct 21, 2011 9:30 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
../../secret/stuff


Top
 Profile  
 
PostPosted: Fri Oct 21, 2011 9:57 am 
Offline
Forum Contributor

Joined: Tue Feb 16, 2010 6:39 pm
Posts: 254
Right, I get that, but that whatever they put in there will always take them to the root directory, then the includes folder, then whatever they type. So even trying to access ../../db.php would just try to call the contents of /var/root/application/includes/../../db.php. Can using relative paths like that work even when there is an absolute path in front of it?


Top
 Profile  
 
PostPosted: Fri Oct 21, 2011 10:00 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
yes. try it.


Top
 Profile  
 
PostPosted: Fri Oct 21, 2011 10:25 am 
Offline
Forum Contributor

Joined: Tue Feb 16, 2010 6:39 pm
Posts: 254
Well, you learn something new every day. Say I want to keep these files in a central location, what do you suggest? I could always just put them in a web-accessible location and not serve them through a gateway like this one, but I'm curious about other ideas. I'll be brainstorming here on my end as well. Thanks for pointing that out, I never really thought about that.

Edit: if I just filter out any references to relative location on the filesystem, are there any other potential security issues I could run into? Essentially I just have to prevent them from getting outside the includes folder.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group