Is this page include function secure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Is this page include function secure?

Post by nickvd »

I'd appreciate it if someone could check this tiny function for any holes that I can't think of.

Code: Select all

function getPage($page, $default="about", $ext=".html") {
   if (!$page || !file_exists("./".$page.$ext)) $page=$default;
   return $page.$ext;
}
It's use is probably quite obvious. I use it for selecting the page to be included on the main index page by $_GET. This way, only one page containing the layout of the site is needed. I know that using a switch would be 100% secure, however on some sites that i design, there are dozen's of pages that need to be linked to, and doing it this way saves typing :)

usage: <link>/index.php?page=blah

Code: Select all

include(getPage($_GET['page']));
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

it's quite possibly insecure. I could include a file you don't necessarily want to include, or if you provide an upload area I could introduce a properly encoded file that'd run like a normal script.

I'd recommend having a known list of valid, safe files to include, and use that..
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

I know that that is the major cause of insecurities in scripts like this, but I figured that since i'm checking if the file submitted exists (including the extention that wont be known to the "attacker") anything that they submit wont exist unless they know the file on the server including the extention...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

overall, it'd probably be very simple to figure out what files you are normally including. If you didn't use include, opting for file_get_contents() for instance, you would avoid running any php code that is in the file.

For the most part, never trust anything that can come from the user.
Post Reply