Sanitizing include($_GET['filename'])
Posted: Fri May 04, 2007 8:13 am
Hey guys,
As Maugrim pointed out in this thread, my Suite Tester has no sanitation in the include statement. But I'm not sure what to do about it.
Checking it against a list of OK files isn't ideal, because that list of files is stored as a JavaScript array.
I suppose I could splatter warnings everywhere about password-protecting the directory, but that's less than ideal too. I know many people won't. People like me.
Does anyone else have any ideas?
My code as it stands:
Where do guys suggest I head with this?
As Maugrim pointed out in this thread, my Suite Tester has no sanitation in the include statement. But I'm not sure what to do about it.
Checking it against a list of OK files isn't ideal, because that list of files is stored as a JavaScript array.
I suppose I could splatter warnings everywhere about password-protecting the directory, but that's less than ideal too. I know many people won't. People like me.
Does anyone else have any ideas?
My code as it stands:
Code: Select all
function SuiteTester_TestRunner($test_file)//$test_file is raw $_GET input
{
$this->TestSuite();
$existing_classes = get_declared_classes();
include($test_file);
$classes = $this->_selectRunnableTests($existing_classes, get_declared_classes());
if ( $this->noRunnableTests($classes) )
{
$this->addTestCase(
new SuiteTester_BadTestSuite($test_file,
"Something is wrong with " . $test_file . ". It may be MISSING, or simply have no runnable test cases.")
);
}
else
{
$this->addTestCase(
$this->_createGroupFromClasses($test_file, $classes)
);
}
}